xref: /freebsd/contrib/unbound/services/authzone.c (revision 7fdf597e96a02165cfe22ff357b857d5fa15ed8a)
1 /*
2  * services/authzone.c - authoritative zone that is locally hosted.
3  *
4  * Copyright (c) 2017, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * This file contains the functions for an authority zone.  This zone
40  * is queried by the iterator, just like a stub or forward zone, but then
41  * the data is locally held.
42  */
43 
44 #include "config.h"
45 #include "services/authzone.h"
46 #include "util/data/dname.h"
47 #include "util/data/msgparse.h"
48 #include "util/data/msgreply.h"
49 #include "util/data/msgencode.h"
50 #include "util/data/packed_rrset.h"
51 #include "util/regional.h"
52 #include "util/net_help.h"
53 #include "util/netevent.h"
54 #include "util/config_file.h"
55 #include "util/log.h"
56 #include "util/module.h"
57 #include "util/random.h"
58 #include "services/cache/dns.h"
59 #include "services/outside_network.h"
60 #include "services/listen_dnsport.h"
61 #include "services/mesh.h"
62 #include "sldns/rrdef.h"
63 #include "sldns/pkthdr.h"
64 #include "sldns/sbuffer.h"
65 #include "sldns/str2wire.h"
66 #include "sldns/wire2str.h"
67 #include "sldns/parseutil.h"
68 #include "sldns/keyraw.h"
69 #include "validator/val_nsec3.h"
70 #include "validator/val_nsec.h"
71 #include "validator/val_secalgo.h"
72 #include "validator/val_sigcrypt.h"
73 #include "validator/val_anchor.h"
74 #include "validator/val_utils.h"
75 #include <ctype.h>
76 
77 /** bytes to use for NSEC3 hash buffer. 20 for sha1 */
78 #define N3HASHBUFLEN 32
79 /** max number of CNAMEs we are willing to follow (in one answer) */
80 #define MAX_CNAME_CHAIN 8
81 /** timeout for probe packets for SOA */
82 #define AUTH_PROBE_TIMEOUT 100 /* msec */
83 /** when to stop with SOA probes (when exponential timeouts exceed this) */
84 #define AUTH_PROBE_TIMEOUT_STOP 1000 /* msec */
85 /* auth transfer timeout for TCP connections, in msec */
86 #define AUTH_TRANSFER_TIMEOUT 10000 /* msec */
87 /* auth transfer max backoff for failed transfers and probes */
88 #define AUTH_TRANSFER_MAX_BACKOFF 86400 /* sec */
89 /* auth http port number */
90 #define AUTH_HTTP_PORT 80
91 /* auth https port number */
92 #define AUTH_HTTPS_PORT 443
93 /* max depth for nested $INCLUDEs */
94 #define MAX_INCLUDE_DEPTH 10
95 /** number of timeouts before we fallback from IXFR to AXFR,
96  * because some versions of servers (eg. dnsmasq) drop IXFR packets. */
97 #define NUM_TIMEOUTS_FALLBACK_IXFR 3
98 
99 /** pick up nextprobe task to start waiting to perform transfer actions */
100 static void xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
101 	int failure, int lookup_only);
102 /** move to sending the probe packets, next if fails. task_probe */
103 static void xfr_probe_send_or_end(struct auth_xfer* xfr,
104 	struct module_env* env);
105 /** pick up probe task with specified(or NULL) destination first,
106  * or transfer task if nothing to probe, or false if already in progress */
107 static int xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
108 	struct auth_master* spec);
109 /** delete xfer structure (not its tree entry) */
110 static void auth_xfer_delete(struct auth_xfer* xfr);
111 
112 /** create new dns_msg */
113 static struct dns_msg*
114 msg_create(struct regional* region, struct query_info* qinfo)
115 {
116 	struct dns_msg* msg = (struct dns_msg*)regional_alloc(region,
117 		sizeof(struct dns_msg));
118 	if(!msg)
119 		return NULL;
120 	msg->qinfo.qname = regional_alloc_init(region, qinfo->qname,
121 		qinfo->qname_len);
122 	if(!msg->qinfo.qname)
123 		return NULL;
124 	msg->qinfo.qname_len = qinfo->qname_len;
125 	msg->qinfo.qtype = qinfo->qtype;
126 	msg->qinfo.qclass = qinfo->qclass;
127 	msg->qinfo.local_alias = NULL;
128 	/* non-packed reply_info, because it needs to grow the array */
129 	msg->rep = (struct reply_info*)regional_alloc_zero(region,
130 		sizeof(struct reply_info)-sizeof(struct rrset_ref));
131 	if(!msg->rep)
132 		return NULL;
133 	msg->rep->flags = (uint16_t)(BIT_QR | BIT_AA);
134 	msg->rep->authoritative = 1;
135 	msg->rep->reason_bogus = LDNS_EDE_NONE;
136 	msg->rep->qdcount = 1;
137 	/* rrsets is NULL, no rrsets yet */
138 	return msg;
139 }
140 
141 /** grow rrset array by one in msg */
142 static int
143 msg_grow_array(struct regional* region, struct dns_msg* msg)
144 {
145 	if(msg->rep->rrsets == NULL) {
146 		msg->rep->rrsets = regional_alloc_zero(region,
147 			sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
148 		if(!msg->rep->rrsets)
149 			return 0;
150 	} else {
151 		struct ub_packed_rrset_key** rrsets_old = msg->rep->rrsets;
152 		msg->rep->rrsets = regional_alloc_zero(region,
153 			sizeof(struct ub_packed_rrset_key*)*(msg->rep->rrset_count+1));
154 		if(!msg->rep->rrsets)
155 			return 0;
156 		memmove(msg->rep->rrsets, rrsets_old,
157 			sizeof(struct ub_packed_rrset_key*)*msg->rep->rrset_count);
158 	}
159 	return 1;
160 }
161 
162 /** get ttl of rrset */
163 static time_t
164 get_rrset_ttl(struct ub_packed_rrset_key* k)
165 {
166 	struct packed_rrset_data* d = (struct packed_rrset_data*)
167 		k->entry.data;
168 	return d->ttl;
169 }
170 
171 /** Copy rrset into region from domain-datanode and packet rrset */
172 static struct ub_packed_rrset_key*
173 auth_packed_rrset_copy_region(struct auth_zone* z, struct auth_data* node,
174 	struct auth_rrset* rrset, struct regional* region, time_t adjust)
175 {
176 	struct ub_packed_rrset_key key;
177 	memset(&key, 0, sizeof(key));
178 	key.entry.key = &key;
179 	key.entry.data = rrset->data;
180 	key.rk.dname = node->name;
181 	key.rk.dname_len = node->namelen;
182 	key.rk.type = htons(rrset->type);
183 	key.rk.rrset_class = htons(z->dclass);
184 	key.entry.hash = rrset_key_hash(&key.rk);
185 	return packed_rrset_copy_region(&key, region, adjust);
186 }
187 
188 /** fix up msg->rep TTL and prefetch ttl */
189 static void
190 msg_ttl(struct dns_msg* msg)
191 {
192 	if(msg->rep->rrset_count == 0) return;
193 	if(msg->rep->rrset_count == 1) {
194 		msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
195 		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
196 		msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
197 	} else if(get_rrset_ttl(msg->rep->rrsets[msg->rep->rrset_count-1]) <
198 		msg->rep->ttl) {
199 		msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[
200 			msg->rep->rrset_count-1]);
201 		msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
202 		msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
203 	}
204 }
205 
206 /** see if rrset is a duplicate in the answer message */
207 static int
208 msg_rrset_duplicate(struct dns_msg* msg, uint8_t* nm, size_t nmlen,
209 	uint16_t type, uint16_t dclass)
210 {
211 	size_t i;
212 	for(i=0; i<msg->rep->rrset_count; i++) {
213 		struct ub_packed_rrset_key* k = msg->rep->rrsets[i];
214 		if(ntohs(k->rk.type) == type && k->rk.dname_len == nmlen &&
215 			ntohs(k->rk.rrset_class) == dclass &&
216 			query_dname_compare(k->rk.dname, nm) == 0)
217 			return 1;
218 	}
219 	return 0;
220 }
221 
222 /** add rrset to answer section (no auth, add rrsets yet) */
223 static int
224 msg_add_rrset_an(struct auth_zone* z, struct regional* region,
225 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
226 {
227 	log_assert(msg->rep->ns_numrrsets == 0);
228 	log_assert(msg->rep->ar_numrrsets == 0);
229 	if(!rrset || !node)
230 		return 1;
231 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
232 		z->dclass))
233 		return 1;
234 	/* grow array */
235 	if(!msg_grow_array(region, msg))
236 		return 0;
237 	/* copy it */
238 	if(!(msg->rep->rrsets[msg->rep->rrset_count] =
239 		auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
240 		return 0;
241 	msg->rep->rrset_count++;
242 	msg->rep->an_numrrsets++;
243 	msg_ttl(msg);
244 	return 1;
245 }
246 
247 /** add rrset to authority section (no additional section rrsets yet) */
248 static int
249 msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
250 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
251 {
252 	log_assert(msg->rep->ar_numrrsets == 0);
253 	if(!rrset || !node)
254 		return 1;
255 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
256 		z->dclass))
257 		return 1;
258 	/* grow array */
259 	if(!msg_grow_array(region, msg))
260 		return 0;
261 	/* copy it */
262 	if(!(msg->rep->rrsets[msg->rep->rrset_count] =
263 		auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
264 		return 0;
265 	msg->rep->rrset_count++;
266 	msg->rep->ns_numrrsets++;
267 	msg_ttl(msg);
268 	return 1;
269 }
270 
271 /** add rrset to additional section */
272 static int
273 msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
274 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
275 {
276 	if(!rrset || !node)
277 		return 1;
278 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
279 		z->dclass))
280 		return 1;
281 	/* grow array */
282 	if(!msg_grow_array(region, msg))
283 		return 0;
284 	/* copy it */
285 	if(!(msg->rep->rrsets[msg->rep->rrset_count] =
286 		auth_packed_rrset_copy_region(z, node, rrset, region, 0)))
287 		return 0;
288 	msg->rep->rrset_count++;
289 	msg->rep->ar_numrrsets++;
290 	msg_ttl(msg);
291 	return 1;
292 }
293 
294 struct auth_zones* auth_zones_create(void)
295 {
296 	struct auth_zones* az = (struct auth_zones*)calloc(1, sizeof(*az));
297 	if(!az) {
298 		log_err("out of memory");
299 		return NULL;
300 	}
301 	rbtree_init(&az->ztree, &auth_zone_cmp);
302 	rbtree_init(&az->xtree, &auth_xfer_cmp);
303 	lock_rw_init(&az->lock);
304 	lock_protect(&az->lock, &az->ztree, sizeof(az->ztree));
305 	lock_protect(&az->lock, &az->xtree, sizeof(az->xtree));
306 	/* also lock protects the rbnode's in struct auth_zone, auth_xfer */
307 	lock_rw_init(&az->rpz_lock);
308 	lock_protect(&az->rpz_lock, &az->rpz_first, sizeof(az->rpz_first));
309 	return az;
310 }
311 
312 int auth_zone_cmp(const void* z1, const void* z2)
313 {
314 	/* first sort on class, so that hierarchy can be maintained within
315 	 * a class */
316 	struct auth_zone* a = (struct auth_zone*)z1;
317 	struct auth_zone* b = (struct auth_zone*)z2;
318 	int m;
319 	if(a->dclass != b->dclass) {
320 		if(a->dclass < b->dclass)
321 			return -1;
322 		return 1;
323 	}
324 	/* sorted such that higher zones sort before lower zones (their
325 	 * contents) */
326 	return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
327 }
328 
329 int auth_data_cmp(const void* z1, const void* z2)
330 {
331 	struct auth_data* a = (struct auth_data*)z1;
332 	struct auth_data* b = (struct auth_data*)z2;
333 	int m;
334 	/* canonical sort, because DNSSEC needs that */
335 	return dname_canon_lab_cmp(a->name, a->namelabs, b->name,
336 		b->namelabs, &m);
337 }
338 
339 int auth_xfer_cmp(const void* z1, const void* z2)
340 {
341 	/* first sort on class, so that hierarchy can be maintained within
342 	 * a class */
343 	struct auth_xfer* a = (struct auth_xfer*)z1;
344 	struct auth_xfer* b = (struct auth_xfer*)z2;
345 	int m;
346 	if(a->dclass != b->dclass) {
347 		if(a->dclass < b->dclass)
348 			return -1;
349 		return 1;
350 	}
351 	/* sorted such that higher zones sort before lower zones (their
352 	 * contents) */
353 	return dname_lab_cmp(a->name, a->namelabs, b->name, b->namelabs, &m);
354 }
355 
356 /** delete auth rrset node */
357 static void
358 auth_rrset_delete(struct auth_rrset* rrset)
359 {
360 	if(!rrset) return;
361 	free(rrset->data);
362 	free(rrset);
363 }
364 
365 /** delete auth data domain node */
366 static void
367 auth_data_delete(struct auth_data* n)
368 {
369 	struct auth_rrset* p, *np;
370 	if(!n) return;
371 	p = n->rrsets;
372 	while(p) {
373 		np = p->next;
374 		auth_rrset_delete(p);
375 		p = np;
376 	}
377 	free(n->name);
378 	free(n);
379 }
380 
381 /** helper traverse to delete zones */
382 static void
383 auth_data_del(rbnode_type* n, void* ATTR_UNUSED(arg))
384 {
385 	struct auth_data* z = (struct auth_data*)n->key;
386 	auth_data_delete(z);
387 }
388 
389 /** delete an auth zone structure (tree remove must be done elsewhere) */
390 static void
391 auth_zone_delete(struct auth_zone* z, struct auth_zones* az)
392 {
393 	if(!z) return;
394 	lock_rw_destroy(&z->lock);
395 	traverse_postorder(&z->data, auth_data_del, NULL);
396 
397 	if(az && z->rpz) {
398 		/* keep RPZ linked list intact */
399 		lock_rw_wrlock(&az->rpz_lock);
400 		if(z->rpz_az_prev)
401 			z->rpz_az_prev->rpz_az_next = z->rpz_az_next;
402 		else
403 			az->rpz_first = z->rpz_az_next;
404 		if(z->rpz_az_next)
405 			z->rpz_az_next->rpz_az_prev = z->rpz_az_prev;
406 		lock_rw_unlock(&az->rpz_lock);
407 	}
408 	if(z->rpz)
409 		rpz_delete(z->rpz);
410 	free(z->name);
411 	free(z->zonefile);
412 	free(z);
413 }
414 
415 struct auth_zone*
416 auth_zone_create(struct auth_zones* az, uint8_t* nm, size_t nmlen,
417 	uint16_t dclass)
418 {
419 	struct auth_zone* z = (struct auth_zone*)calloc(1, sizeof(*z));
420 	if(!z) {
421 		return NULL;
422 	}
423 	z->node.key = z;
424 	z->dclass = dclass;
425 	z->namelen = nmlen;
426 	z->namelabs = dname_count_labels(nm);
427 	z->name = memdup(nm, nmlen);
428 	if(!z->name) {
429 		free(z);
430 		return NULL;
431 	}
432 	rbtree_init(&z->data, &auth_data_cmp);
433 	lock_rw_init(&z->lock);
434 	lock_protect(&z->lock, &z->name, sizeof(*z)-sizeof(rbnode_type)-
435 			sizeof(&z->rpz_az_next)-sizeof(&z->rpz_az_prev));
436 	lock_rw_wrlock(&z->lock);
437 	/* z lock protects all, except rbtree itself and the rpz linked list
438 	 * pointers, which are protected using az->lock */
439 	if(!rbtree_insert(&az->ztree, &z->node)) {
440 		lock_rw_unlock(&z->lock);
441 		auth_zone_delete(z, NULL);
442 		log_warn("duplicate auth zone");
443 		return NULL;
444 	}
445 	return z;
446 }
447 
448 struct auth_zone*
449 auth_zone_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
450 	uint16_t dclass)
451 {
452 	struct auth_zone key;
453 	key.node.key = &key;
454 	key.dclass = dclass;
455 	key.name = nm;
456 	key.namelen = nmlen;
457 	key.namelabs = dname_count_labels(nm);
458 	return (struct auth_zone*)rbtree_search(&az->ztree, &key);
459 }
460 
461 struct auth_xfer*
462 auth_xfer_find(struct auth_zones* az, uint8_t* nm, size_t nmlen,
463 	uint16_t dclass)
464 {
465 	struct auth_xfer key;
466 	key.node.key = &key;
467 	key.dclass = dclass;
468 	key.name = nm;
469 	key.namelen = nmlen;
470 	key.namelabs = dname_count_labels(nm);
471 	return (struct auth_xfer*)rbtree_search(&az->xtree, &key);
472 }
473 
474 /** find an auth zone or sorted less-or-equal, return true if exact */
475 static int
476 auth_zone_find_less_equal(struct auth_zones* az, uint8_t* nm, size_t nmlen,
477 	uint16_t dclass, struct auth_zone** z)
478 {
479 	struct auth_zone key;
480 	key.node.key = &key;
481 	key.dclass = dclass;
482 	key.name = nm;
483 	key.namelen = nmlen;
484 	key.namelabs = dname_count_labels(nm);
485 	return rbtree_find_less_equal(&az->ztree, &key, (rbnode_type**)z);
486 }
487 
488 
489 /** find the auth zone that is above the given name */
490 struct auth_zone*
491 auth_zones_find_zone(struct auth_zones* az, uint8_t* name, size_t name_len,
492 	uint16_t dclass)
493 {
494 	uint8_t* nm = name;
495 	size_t nmlen = name_len;
496 	struct auth_zone* z;
497 	if(auth_zone_find_less_equal(az, nm, nmlen, dclass, &z)) {
498 		/* exact match */
499 		return z;
500 	} else {
501 		/* less-or-nothing */
502 		if(!z) return NULL; /* nothing smaller, nothing above it */
503 		/* we found smaller name; smaller may be above the name,
504 		 * but not below it. */
505 		nm = dname_get_shared_topdomain(z->name, name);
506 		dname_count_size_labels(nm, &nmlen);
507 		z = NULL;
508 	}
509 
510 	/* search up */
511 	while(!z) {
512 		z = auth_zone_find(az, nm, nmlen, dclass);
513 		if(z) return z;
514 		if(dname_is_root(nm)) break;
515 		dname_remove_label(&nm, &nmlen);
516 	}
517 	return NULL;
518 }
519 
520 /** find or create zone with name str. caller must have lock on az.
521  * returns a wrlocked zone */
522 static struct auth_zone*
523 auth_zones_find_or_add_zone(struct auth_zones* az, char* name)
524 {
525 	uint8_t nm[LDNS_MAX_DOMAINLEN+1];
526 	size_t nmlen = sizeof(nm);
527 	struct auth_zone* z;
528 
529 	if(sldns_str2wire_dname_buf(name, nm, &nmlen) != 0) {
530 		log_err("cannot parse auth zone name: %s", name);
531 		return 0;
532 	}
533 	z = auth_zone_find(az, nm, nmlen, LDNS_RR_CLASS_IN);
534 	if(!z) {
535 		/* not found, create the zone */
536 		z = auth_zone_create(az, nm, nmlen, LDNS_RR_CLASS_IN);
537 	} else {
538 		lock_rw_wrlock(&z->lock);
539 	}
540 	return z;
541 }
542 
543 /** find or create xfer zone with name str. caller must have lock on az.
544  * returns a locked xfer */
545 static struct auth_xfer*
546 auth_zones_find_or_add_xfer(struct auth_zones* az, struct auth_zone* z)
547 {
548 	struct auth_xfer* x;
549 	x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
550 	if(!x) {
551 		/* not found, create the zone */
552 		x = auth_xfer_create(az, z);
553 	} else {
554 		lock_basic_lock(&x->lock);
555 	}
556 	return x;
557 }
558 
559 int
560 auth_zone_set_zonefile(struct auth_zone* z, char* zonefile)
561 {
562 	if(z->zonefile) free(z->zonefile);
563 	if(zonefile == NULL) {
564 		z->zonefile = NULL;
565 	} else {
566 		z->zonefile = strdup(zonefile);
567 		if(!z->zonefile) {
568 			log_err("malloc failure");
569 			return 0;
570 		}
571 	}
572 	return 1;
573 }
574 
575 /** set auth zone fallback. caller must have lock on zone */
576 int
577 auth_zone_set_fallback(struct auth_zone* z, char* fallbackstr)
578 {
579 	if(strcmp(fallbackstr, "yes") != 0 && strcmp(fallbackstr, "no") != 0){
580 		log_err("auth zone fallback, expected yes or no, got %s",
581 			fallbackstr);
582 		return 0;
583 	}
584 	z->fallback_enabled = (strcmp(fallbackstr, "yes")==0);
585 	return 1;
586 }
587 
588 /** create domain with the given name */
589 static struct auth_data*
590 az_domain_create(struct auth_zone* z, uint8_t* nm, size_t nmlen)
591 {
592 	struct auth_data* n = (struct auth_data*)malloc(sizeof(*n));
593 	if(!n) return NULL;
594 	memset(n, 0, sizeof(*n));
595 	n->node.key = n;
596 	n->name = memdup(nm, nmlen);
597 	if(!n->name) {
598 		free(n);
599 		return NULL;
600 	}
601 	n->namelen = nmlen;
602 	n->namelabs = dname_count_labels(nm);
603 	if(!rbtree_insert(&z->data, &n->node)) {
604 		log_warn("duplicate auth domain name");
605 		free(n->name);
606 		free(n);
607 		return NULL;
608 	}
609 	return n;
610 }
611 
612 /** find domain with exactly the given name */
613 static struct auth_data*
614 az_find_name(struct auth_zone* z, uint8_t* nm, size_t nmlen)
615 {
616 	struct auth_zone key;
617 	key.node.key = &key;
618 	key.name = nm;
619 	key.namelen = nmlen;
620 	key.namelabs = dname_count_labels(nm);
621 	return (struct auth_data*)rbtree_search(&z->data, &key);
622 }
623 
624 /** Find domain name (or closest match) */
625 static void
626 az_find_domain(struct auth_zone* z, struct query_info* qinfo, int* node_exact,
627 	struct auth_data** node)
628 {
629 	struct auth_zone key;
630 	key.node.key = &key;
631 	key.name = qinfo->qname;
632 	key.namelen = qinfo->qname_len;
633 	key.namelabs = dname_count_labels(key.name);
634 	*node_exact = rbtree_find_less_equal(&z->data, &key,
635 		(rbnode_type**)node);
636 }
637 
638 /** find or create domain with name in zone */
639 static struct auth_data*
640 az_domain_find_or_create(struct auth_zone* z, uint8_t* dname,
641 	size_t dname_len)
642 {
643 	struct auth_data* n = az_find_name(z, dname, dname_len);
644 	if(!n) {
645 		n = az_domain_create(z, dname, dname_len);
646 	}
647 	return n;
648 }
649 
650 /** find rrset of given type in the domain */
651 static struct auth_rrset*
652 az_domain_rrset(struct auth_data* n, uint16_t t)
653 {
654 	struct auth_rrset* rrset;
655 	if(!n) return NULL;
656 	rrset = n->rrsets;
657 	while(rrset) {
658 		if(rrset->type == t)
659 			return rrset;
660 		rrset = rrset->next;
661 	}
662 	return NULL;
663 }
664 
665 /** remove rrset of this type from domain */
666 static void
667 domain_remove_rrset(struct auth_data* node, uint16_t rr_type)
668 {
669 	struct auth_rrset* rrset, *prev;
670 	if(!node) return;
671 	prev = NULL;
672 	rrset = node->rrsets;
673 	while(rrset) {
674 		if(rrset->type == rr_type) {
675 			/* found it, now delete it */
676 			if(prev) prev->next = rrset->next;
677 			else	node->rrsets = rrset->next;
678 			auth_rrset_delete(rrset);
679 			return;
680 		}
681 		prev = rrset;
682 		rrset = rrset->next;
683 	}
684 }
685 
686 /** find an rrsig index in the rrset.  returns true if found */
687 static int
688 az_rrset_find_rrsig(struct packed_rrset_data* d, uint8_t* rdata, size_t len,
689 	size_t* index)
690 {
691 	size_t i;
692 	for(i=d->count; i<d->count + d->rrsig_count; i++) {
693 		if(d->rr_len[i] != len)
694 			continue;
695 		if(memcmp(d->rr_data[i], rdata, len) == 0) {
696 			*index = i;
697 			return 1;
698 		}
699 	}
700 	return 0;
701 }
702 
703 /** see if rdata is duplicate */
704 static int
705 rdata_duplicate(struct packed_rrset_data* d, uint8_t* rdata, size_t len)
706 {
707 	size_t i;
708 	for(i=0; i<d->count + d->rrsig_count; i++) {
709 		if(d->rr_len[i] != len)
710 			continue;
711 		if(memcmp(d->rr_data[i], rdata, len) == 0)
712 			return 1;
713 	}
714 	return 0;
715 }
716 
717 /** get rrsig type covered from rdata.
718  * @param rdata: rdata in wireformat, starting with 16bit rdlength.
719  * @param rdatalen: length of rdata buffer.
720  * @return type covered (or 0).
721  */
722 static uint16_t
723 rrsig_rdata_get_type_covered(uint8_t* rdata, size_t rdatalen)
724 {
725 	if(rdatalen < 4)
726 		return 0;
727 	return sldns_read_uint16(rdata+2);
728 }
729 
730 /** remove RR from existing RRset. Also sig, if it is a signature.
731  * reallocates the packed rrset for a new one, false on alloc failure */
732 static int
733 rrset_remove_rr(struct auth_rrset* rrset, size_t index)
734 {
735 	struct packed_rrset_data* d, *old = rrset->data;
736 	size_t i;
737 	if(index >= old->count + old->rrsig_count)
738 		return 0; /* index out of bounds */
739 	d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old) - (
740 		sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t) +
741 		old->rr_len[index]));
742 	if(!d) {
743 		log_err("malloc failure");
744 		return 0;
745 	}
746 	d->ttl = old->ttl;
747 	d->count = old->count;
748 	d->rrsig_count = old->rrsig_count;
749 	if(index < d->count) d->count--;
750 	else d->rrsig_count--;
751 	d->trust = old->trust;
752 	d->security = old->security;
753 
754 	/* set rr_len, needed for ptr_fixup */
755 	d->rr_len = (size_t*)((uint8_t*)d +
756 		sizeof(struct packed_rrset_data));
757 	if(index > 0)
758 		memmove(d->rr_len, old->rr_len, (index)*sizeof(size_t));
759 	if(index+1 < old->count+old->rrsig_count)
760 		memmove(&d->rr_len[index], &old->rr_len[index+1],
761 		(old->count+old->rrsig_count - (index+1))*sizeof(size_t));
762 	packed_rrset_ptr_fixup(d);
763 
764 	/* move over ttls */
765 	if(index > 0)
766 		memmove(d->rr_ttl, old->rr_ttl, (index)*sizeof(time_t));
767 	if(index+1 < old->count+old->rrsig_count)
768 		memmove(&d->rr_ttl[index], &old->rr_ttl[index+1],
769 		(old->count+old->rrsig_count - (index+1))*sizeof(time_t));
770 
771 	/* move over rr_data */
772 	for(i=0; i<d->count+d->rrsig_count; i++) {
773 		size_t oldi;
774 		if(i < index) oldi = i;
775 		else oldi = i+1;
776 		memmove(d->rr_data[i], old->rr_data[oldi], d->rr_len[i]);
777 	}
778 
779 	/* recalc ttl (lowest of remaining RR ttls) */
780 	if(d->count + d->rrsig_count > 0)
781 		d->ttl = d->rr_ttl[0];
782 	for(i=0; i<d->count+d->rrsig_count; i++) {
783 		if(d->rr_ttl[i] < d->ttl)
784 			d->ttl = d->rr_ttl[i];
785 	}
786 
787 	free(rrset->data);
788 	rrset->data = d;
789 	return 1;
790 }
791 
792 /** add RR to existing RRset. If insert_sig is true, add to rrsigs.
793  * This reallocates the packed rrset for a new one */
794 static int
795 rrset_add_rr(struct auth_rrset* rrset, uint32_t rr_ttl, uint8_t* rdata,
796 	size_t rdatalen, int insert_sig)
797 {
798 	struct packed_rrset_data* d, *old = rrset->data;
799 	size_t total, old_total;
800 
801 	d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
802 		+ sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t)
803 		+ rdatalen);
804 	if(!d) {
805 		log_err("out of memory");
806 		return 0;
807 	}
808 	/* copy base values */
809 	memcpy(d, old, sizeof(struct packed_rrset_data));
810 	if(!insert_sig) {
811 		d->count++;
812 	} else {
813 		d->rrsig_count++;
814 	}
815 	old_total = old->count + old->rrsig_count;
816 	total = d->count + d->rrsig_count;
817 	/* set rr_len, needed for ptr_fixup */
818 	d->rr_len = (size_t*)((uint8_t*)d +
819 		sizeof(struct packed_rrset_data));
820 	if(old->count != 0)
821 		memmove(d->rr_len, old->rr_len, old->count*sizeof(size_t));
822 	if(old->rrsig_count != 0)
823 		memmove(d->rr_len+d->count, old->rr_len+old->count,
824 			old->rrsig_count*sizeof(size_t));
825 	if(!insert_sig)
826 		d->rr_len[d->count-1] = rdatalen;
827 	else	d->rr_len[total-1] = rdatalen;
828 	packed_rrset_ptr_fixup(d);
829 	if((time_t)rr_ttl < d->ttl)
830 		d->ttl = rr_ttl;
831 
832 	/* copy old values into new array */
833 	if(old->count != 0) {
834 		memmove(d->rr_ttl, old->rr_ttl, old->count*sizeof(time_t));
835 		/* all the old rr pieces are allocated sequential, so we
836 		 * can copy them in one go */
837 		memmove(d->rr_data[0], old->rr_data[0],
838 			(old->rr_data[old->count-1] - old->rr_data[0]) +
839 			old->rr_len[old->count-1]);
840 	}
841 	if(old->rrsig_count != 0) {
842 		memmove(d->rr_ttl+d->count, old->rr_ttl+old->count,
843 			old->rrsig_count*sizeof(time_t));
844 		memmove(d->rr_data[d->count], old->rr_data[old->count],
845 			(old->rr_data[old_total-1] - old->rr_data[old->count]) +
846 			old->rr_len[old_total-1]);
847 	}
848 
849 	/* insert new value */
850 	if(!insert_sig) {
851 		d->rr_ttl[d->count-1] = rr_ttl;
852 		memmove(d->rr_data[d->count-1], rdata, rdatalen);
853 	} else {
854 		d->rr_ttl[total-1] = rr_ttl;
855 		memmove(d->rr_data[total-1], rdata, rdatalen);
856 	}
857 
858 	rrset->data = d;
859 	free(old);
860 	return 1;
861 }
862 
863 /** Create new rrset for node with packed rrset with one RR element */
864 static struct auth_rrset*
865 rrset_create(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
866 	uint8_t* rdata, size_t rdatalen)
867 {
868 	struct auth_rrset* rrset = (struct auth_rrset*)calloc(1,
869 		sizeof(*rrset));
870 	struct auth_rrset* p, *prev;
871 	struct packed_rrset_data* d;
872 	if(!rrset) {
873 		log_err("out of memory");
874 		return NULL;
875 	}
876 	rrset->type = rr_type;
877 
878 	/* the rrset data structure, with one RR */
879 	d = (struct packed_rrset_data*)calloc(1,
880 		sizeof(struct packed_rrset_data) + sizeof(size_t) +
881 		sizeof(uint8_t*) + sizeof(time_t) + rdatalen);
882 	if(!d) {
883 		free(rrset);
884 		log_err("out of memory");
885 		return NULL;
886 	}
887 	rrset->data = d;
888 	d->ttl = rr_ttl;
889 	d->trust = rrset_trust_prim_noglue;
890 	d->rr_len = (size_t*)((uint8_t*)d + sizeof(struct packed_rrset_data));
891 	d->rr_data = (uint8_t**)&(d->rr_len[1]);
892 	d->rr_ttl = (time_t*)&(d->rr_data[1]);
893 	d->rr_data[0] = (uint8_t*)&(d->rr_ttl[1]);
894 
895 	/* insert the RR */
896 	d->rr_len[0] = rdatalen;
897 	d->rr_ttl[0] = rr_ttl;
898 	memmove(d->rr_data[0], rdata, rdatalen);
899 	d->count++;
900 
901 	/* insert rrset into linked list for domain */
902 	/* find sorted place to link the rrset into the list */
903 	prev = NULL;
904 	p = node->rrsets;
905 	while(p && p->type<=rr_type) {
906 		prev = p;
907 		p = p->next;
908 	}
909 	/* so, prev is smaller, and p is larger than rr_type */
910 	rrset->next = p;
911 	if(prev) prev->next = rrset;
912 	else node->rrsets = rrset;
913 	return rrset;
914 }
915 
916 /** count number (and size) of rrsigs that cover a type */
917 static size_t
918 rrsig_num_that_cover(struct auth_rrset* rrsig, uint16_t rr_type, size_t* sigsz)
919 {
920 	struct packed_rrset_data* d = rrsig->data;
921 	size_t i, num = 0;
922 	*sigsz = 0;
923 	log_assert(d && rrsig->type == LDNS_RR_TYPE_RRSIG);
924 	for(i=0; i<d->count+d->rrsig_count; i++) {
925 		if(rrsig_rdata_get_type_covered(d->rr_data[i],
926 			d->rr_len[i]) == rr_type) {
927 			num++;
928 			(*sigsz) += d->rr_len[i];
929 		}
930 	}
931 	return num;
932 }
933 
934 /** See if rrsig set has covered sigs for rrset and move them over */
935 static int
936 rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
937 	struct auth_rrset* rrset, struct auth_rrset* rrsig)
938 {
939 	size_t sigs, sigsz, i, j, total;
940 	struct packed_rrset_data* sigold = rrsig->data;
941 	struct packed_rrset_data* old = rrset->data;
942 	struct packed_rrset_data* d, *sigd;
943 
944 	log_assert(rrset->type == rr_type);
945 	log_assert(rrsig->type == LDNS_RR_TYPE_RRSIG);
946 	sigs = rrsig_num_that_cover(rrsig, rr_type, &sigsz);
947 	if(sigs == 0) {
948 		/* 0 rrsigs to move over, done */
949 		return 1;
950 	}
951 
952 	/* allocate rrset sigsz larger for extra sigs elements, and
953 	 * allocate rrsig sigsz smaller for less sigs elements. */
954 	d = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(old)
955 		+ sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
956 		+ sigsz);
957 	if(!d) {
958 		log_err("out of memory");
959 		return 0;
960 	}
961 	/* copy base values */
962 	total = old->count + old->rrsig_count;
963 	memcpy(d, old, sizeof(struct packed_rrset_data));
964 	d->rrsig_count += sigs;
965 	/* setup rr_len */
966 	d->rr_len = (size_t*)((uint8_t*)d +
967 		sizeof(struct packed_rrset_data));
968 	if(total != 0)
969 		memmove(d->rr_len, old->rr_len, total*sizeof(size_t));
970 	j = d->count+d->rrsig_count-sigs;
971 	for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
972 		if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
973 			sigold->rr_len[i]) == rr_type) {
974 			d->rr_len[j] = sigold->rr_len[i];
975 			j++;
976 		}
977 	}
978 	packed_rrset_ptr_fixup(d);
979 
980 	/* copy old values into new array */
981 	if(total != 0) {
982 		memmove(d->rr_ttl, old->rr_ttl, total*sizeof(time_t));
983 		/* all the old rr pieces are allocated sequential, so we
984 		 * can copy them in one go */
985 		memmove(d->rr_data[0], old->rr_data[0],
986 			(old->rr_data[total-1] - old->rr_data[0]) +
987 			old->rr_len[total-1]);
988 	}
989 
990 	/* move over the rrsigs to the larger rrset*/
991 	j = d->count+d->rrsig_count-sigs;
992 	for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
993 		if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
994 			sigold->rr_len[i]) == rr_type) {
995 			/* move this one over to location j */
996 			d->rr_ttl[j] = sigold->rr_ttl[i];
997 			memmove(d->rr_data[j], sigold->rr_data[i],
998 				sigold->rr_len[i]);
999 			if(d->rr_ttl[j] < d->ttl)
1000 				d->ttl = d->rr_ttl[j];
1001 			j++;
1002 		}
1003 	}
1004 
1005 	/* put it in and deallocate the old rrset */
1006 	rrset->data = d;
1007 	free(old);
1008 
1009 	/* now make rrsig set smaller */
1010 	if(sigold->count+sigold->rrsig_count == sigs) {
1011 		/* remove all sigs from rrsig, remove it entirely */
1012 		domain_remove_rrset(node, LDNS_RR_TYPE_RRSIG);
1013 		return 1;
1014 	}
1015 	log_assert(packed_rrset_sizeof(sigold) > sigs*(sizeof(size_t) +
1016 		sizeof(uint8_t*) + sizeof(time_t)) + sigsz);
1017 	sigd = (struct packed_rrset_data*)calloc(1, packed_rrset_sizeof(sigold)
1018 		- sigs*(sizeof(size_t) + sizeof(uint8_t*) + sizeof(time_t))
1019 		- sigsz);
1020 	if(!sigd) {
1021 		/* no need to free up d, it has already been placed in the
1022 		 * node->rrset structure */
1023 		log_err("out of memory");
1024 		return 0;
1025 	}
1026 	/* copy base values */
1027 	memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
1028 	/* in sigd the RRSIGs are stored in the base of the RR, in count */
1029 	sigd->count -= sigs;
1030 	/* setup rr_len */
1031 	sigd->rr_len = (size_t*)((uint8_t*)sigd +
1032 		sizeof(struct packed_rrset_data));
1033 	j = 0;
1034 	for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1035 		if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1036 			sigold->rr_len[i]) != rr_type) {
1037 			sigd->rr_len[j] = sigold->rr_len[i];
1038 			j++;
1039 		}
1040 	}
1041 	packed_rrset_ptr_fixup(sigd);
1042 
1043 	/* copy old values into new rrsig array */
1044 	j = 0;
1045 	for(i=0; i<sigold->count+sigold->rrsig_count; i++) {
1046 		if(rrsig_rdata_get_type_covered(sigold->rr_data[i],
1047 			sigold->rr_len[i]) != rr_type) {
1048 			/* move this one over to location j */
1049 			sigd->rr_ttl[j] = sigold->rr_ttl[i];
1050 			memmove(sigd->rr_data[j], sigold->rr_data[i],
1051 				sigold->rr_len[i]);
1052 			if(j==0) sigd->ttl = sigd->rr_ttl[j];
1053 			else {
1054 				if(sigd->rr_ttl[j] < sigd->ttl)
1055 					sigd->ttl = sigd->rr_ttl[j];
1056 			}
1057 			j++;
1058 		}
1059 	}
1060 
1061 	/* put it in and deallocate the old rrset */
1062 	rrsig->data = sigd;
1063 	free(sigold);
1064 
1065 	return 1;
1066 }
1067 
1068 /** copy the rrsigs from the rrset to the rrsig rrset, because the rrset
1069  * is going to be deleted.  reallocates the RRSIG rrset data. */
1070 static int
1071 rrsigs_copy_from_rrset_to_rrsigset(struct auth_rrset* rrset,
1072 	struct auth_rrset* rrsigset)
1073 {
1074 	size_t i;
1075 	if(rrset->data->rrsig_count == 0)
1076 		return 1;
1077 
1078 	/* move them over one by one, because there might be duplicates,
1079 	 * duplicates are ignored */
1080 	for(i=rrset->data->count;
1081 		i<rrset->data->count+rrset->data->rrsig_count; i++) {
1082 		uint8_t* rdata = rrset->data->rr_data[i];
1083 		size_t rdatalen = rrset->data->rr_len[i];
1084 		time_t rr_ttl  = rrset->data->rr_ttl[i];
1085 
1086 		if(rdata_duplicate(rrsigset->data, rdata, rdatalen)) {
1087 			continue;
1088 		}
1089 		if(!rrset_add_rr(rrsigset, rr_ttl, rdata, rdatalen, 0))
1090 			return 0;
1091 	}
1092 	return 1;
1093 }
1094 
1095 /** Add rr to node, ignores duplicate RRs,
1096  * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1097 static int
1098 az_domain_add_rr(struct auth_data* node, uint16_t rr_type, uint32_t rr_ttl,
1099 	uint8_t* rdata, size_t rdatalen, int* duplicate)
1100 {
1101 	struct auth_rrset* rrset;
1102 	/* packed rrsets have their rrsigs along with them, sort them out */
1103 	if(rr_type == LDNS_RR_TYPE_RRSIG) {
1104 		uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1105 		if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1106 			/* a node of the correct type exists, add the RRSIG
1107 			 * to the rrset of the covered data type */
1108 			if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1109 				if(duplicate) *duplicate = 1;
1110 				return 1;
1111 			}
1112 			if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 1))
1113 				return 0;
1114 		} else if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1115 			/* add RRSIG to rrset of type RRSIG */
1116 			if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1117 				if(duplicate) *duplicate = 1;
1118 				return 1;
1119 			}
1120 			if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1121 				return 0;
1122 		} else {
1123 			/* create rrset of type RRSIG */
1124 			if(!rrset_create(node, rr_type, rr_ttl, rdata,
1125 				rdatalen))
1126 				return 0;
1127 		}
1128 	} else {
1129 		/* normal RR type */
1130 		if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1131 			/* add data to existing node with data type */
1132 			if(rdata_duplicate(rrset->data, rdata, rdatalen)) {
1133 				if(duplicate) *duplicate = 1;
1134 				return 1;
1135 			}
1136 			if(!rrset_add_rr(rrset, rr_ttl, rdata, rdatalen, 0))
1137 				return 0;
1138 		} else {
1139 			struct auth_rrset* rrsig;
1140 			/* create new node with data type */
1141 			if(!(rrset=rrset_create(node, rr_type, rr_ttl, rdata,
1142 				rdatalen)))
1143 				return 0;
1144 
1145 			/* see if node of type RRSIG has signatures that
1146 			 * cover the data type, and move them over */
1147 			/* and then make the RRSIG type smaller */
1148 			if((rrsig=az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
1149 				!= NULL) {
1150 				if(!rrset_moveover_rrsigs(node, rr_type,
1151 					rrset, rrsig))
1152 					return 0;
1153 			}
1154 		}
1155 	}
1156 	return 1;
1157 }
1158 
1159 /** insert RR into zone, ignore duplicates */
1160 static int
1161 az_insert_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1162 	size_t dname_len, int* duplicate)
1163 {
1164 	struct auth_data* node;
1165 	uint8_t* dname = rr;
1166 	uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1167 	uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1168 	uint32_t rr_ttl = sldns_wirerr_get_ttl(rr, rr_len, dname_len);
1169 	size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1170 		dname_len))+2;
1171 	/* rdata points to rdata prefixed with uint16 rdatalength */
1172 	uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1173 
1174 	if(rr_class != z->dclass) {
1175 		log_err("wrong class for RR");
1176 		return 0;
1177 	}
1178 	if(!(node=az_domain_find_or_create(z, dname, dname_len))) {
1179 		log_err("cannot create domain");
1180 		return 0;
1181 	}
1182 	if(!az_domain_add_rr(node, rr_type, rr_ttl, rdata, rdatalen,
1183 		duplicate)) {
1184 		log_err("cannot add RR to domain");
1185 		return 0;
1186 	}
1187 	if(z->rpz) {
1188 		if(!(rpz_insert_rr(z->rpz, z->name, z->namelen, dname,
1189 			dname_len, rr_type, rr_class, rr_ttl, rdata, rdatalen,
1190 			rr, rr_len)))
1191 			return 0;
1192 	}
1193 	return 1;
1194 }
1195 
1196 /** Remove rr from node, ignores nonexisting RRs,
1197  * rdata points to buffer with rdatalen octets, starts with 2bytelength. */
1198 static int
1199 az_domain_remove_rr(struct auth_data* node, uint16_t rr_type,
1200 	uint8_t* rdata, size_t rdatalen, int* nonexist)
1201 {
1202 	struct auth_rrset* rrset;
1203 	size_t index = 0;
1204 
1205 	/* find the plain RR of the given type */
1206 	if((rrset=az_domain_rrset(node, rr_type))!= NULL) {
1207 		if(packed_rrset_find_rr(rrset->data, rdata, rdatalen, &index)) {
1208 			if(rrset->data->count == 1 &&
1209 				rrset->data->rrsig_count == 0) {
1210 				/* last RR, delete the rrset */
1211 				domain_remove_rrset(node, rr_type);
1212 			} else if(rrset->data->count == 1 &&
1213 				rrset->data->rrsig_count != 0) {
1214 				/* move RRSIGs to the RRSIG rrset, or
1215 				 * this one becomes that RRset */
1216 				struct auth_rrset* rrsigset = az_domain_rrset(
1217 					node, LDNS_RR_TYPE_RRSIG);
1218 				if(rrsigset) {
1219 					/* move left over rrsigs to the
1220 					 * existing rrset of type RRSIG */
1221 					rrsigs_copy_from_rrset_to_rrsigset(
1222 						rrset, rrsigset);
1223 					/* and then delete the rrset */
1224 					domain_remove_rrset(node, rr_type);
1225 				} else {
1226 					/* no rrset of type RRSIG, this
1227 					 * set is now of that type,
1228 					 * just remove the rr */
1229 					if(!rrset_remove_rr(rrset, index))
1230 						return 0;
1231 					rrset->type = LDNS_RR_TYPE_RRSIG;
1232 					rrset->data->count = rrset->data->rrsig_count;
1233 					rrset->data->rrsig_count = 0;
1234 				}
1235 			} else {
1236 				/* remove the RR from the rrset */
1237 				if(!rrset_remove_rr(rrset, index))
1238 					return 0;
1239 			}
1240 			return 1;
1241 		}
1242 		/* rr not found in rrset */
1243 	}
1244 
1245 	/* is it a type RRSIG, look under the covered type */
1246 	if(rr_type == LDNS_RR_TYPE_RRSIG) {
1247 		uint16_t ctype = rrsig_rdata_get_type_covered(rdata, rdatalen);
1248 		if((rrset=az_domain_rrset(node, ctype))!= NULL) {
1249 			if(az_rrset_find_rrsig(rrset->data, rdata, rdatalen,
1250 				&index)) {
1251 				/* rrsig should have d->count > 0, be
1252 				 * over some rr of that type */
1253 				/* remove the rrsig from the rrsigs list of the
1254 				 * rrset */
1255 				if(!rrset_remove_rr(rrset, index))
1256 					return 0;
1257 				return 1;
1258 			}
1259 		}
1260 		/* also RRSIG not found */
1261 	}
1262 
1263 	/* nothing found to delete */
1264 	if(nonexist) *nonexist = 1;
1265 	return 1;
1266 }
1267 
1268 /** remove RR from zone, ignore if it does not exist, false on alloc failure*/
1269 static int
1270 az_remove_rr(struct auth_zone* z, uint8_t* rr, size_t rr_len,
1271 	size_t dname_len, int* nonexist)
1272 {
1273 	struct auth_data* node;
1274 	uint8_t* dname = rr;
1275 	uint16_t rr_type = sldns_wirerr_get_type(rr, rr_len, dname_len);
1276 	uint16_t rr_class = sldns_wirerr_get_class(rr, rr_len, dname_len);
1277 	size_t rdatalen = ((size_t)sldns_wirerr_get_rdatalen(rr, rr_len,
1278 		dname_len))+2;
1279 	/* rdata points to rdata prefixed with uint16 rdatalength */
1280 	uint8_t* rdata = sldns_wirerr_get_rdatawl(rr, rr_len, dname_len);
1281 
1282 	if(rr_class != z->dclass) {
1283 		log_err("wrong class for RR");
1284 		/* really also a nonexisting entry, because no records
1285 		 * of that class in the zone, but return an error because
1286 		 * getting records of the wrong class is a failure of the
1287 		 * zone transfer */
1288 		return 0;
1289 	}
1290 	node = az_find_name(z, dname, dname_len);
1291 	if(!node) {
1292 		/* node with that name does not exist */
1293 		/* nonexisting entry, because no such name */
1294 		*nonexist = 1;
1295 		return 1;
1296 	}
1297 	if(!az_domain_remove_rr(node, rr_type, rdata, rdatalen, nonexist)) {
1298 		/* alloc failure or so */
1299 		return 0;
1300 	}
1301 	/* remove the node, if necessary */
1302 	/* an rrsets==NULL entry is not kept around for empty nonterminals,
1303 	 * and also parent nodes are not kept around, so we just delete it */
1304 	if(node->rrsets == NULL) {
1305 		(void)rbtree_delete(&z->data, node);
1306 		auth_data_delete(node);
1307 	}
1308 	if(z->rpz) {
1309 		rpz_remove_rr(z->rpz, z->name, z->namelen, dname, dname_len,
1310 			rr_type, rr_class, rdata, rdatalen);
1311 	}
1312 	return 1;
1313 }
1314 
1315 /** decompress an RR into the buffer where it'll be an uncompressed RR
1316  * with uncompressed dname and uncompressed rdata (dnames) */
1317 static int
1318 decompress_rr_into_buffer(struct sldns_buffer* buf, uint8_t* pkt,
1319 	size_t pktlen, uint8_t* dname, uint16_t rr_type, uint16_t rr_class,
1320 	uint32_t rr_ttl, uint8_t* rr_data, uint16_t rr_rdlen)
1321 {
1322 	sldns_buffer pktbuf;
1323 	size_t dname_len = 0;
1324 	size_t rdlenpos;
1325 	size_t rdlen;
1326 	uint8_t* rd;
1327 	const sldns_rr_descriptor* desc;
1328 	sldns_buffer_init_frm_data(&pktbuf, pkt, pktlen);
1329 	sldns_buffer_clear(buf);
1330 
1331 	/* decompress dname */
1332 	sldns_buffer_set_position(&pktbuf,
1333 		(size_t)(dname - sldns_buffer_current(&pktbuf)));
1334 	dname_len = pkt_dname_len(&pktbuf);
1335 	if(dname_len == 0) return 0; /* parse fail on dname */
1336 	if(!sldns_buffer_available(buf, dname_len)) return 0;
1337 	dname_pkt_copy(&pktbuf, sldns_buffer_current(buf), dname);
1338 	sldns_buffer_skip(buf, (ssize_t)dname_len);
1339 
1340 	/* type, class, ttl and rdatalength fields */
1341 	if(!sldns_buffer_available(buf, 10)) return 0;
1342 	sldns_buffer_write_u16(buf, rr_type);
1343 	sldns_buffer_write_u16(buf, rr_class);
1344 	sldns_buffer_write_u32(buf, rr_ttl);
1345 	rdlenpos = sldns_buffer_position(buf);
1346 	sldns_buffer_write_u16(buf, 0); /* rd length position */
1347 
1348 	/* decompress rdata */
1349 	desc = sldns_rr_descript(rr_type);
1350 	rd = rr_data;
1351 	rdlen = rr_rdlen;
1352 	if(rdlen > 0 && desc && desc->_dname_count > 0) {
1353 		int count = (int)desc->_dname_count;
1354 		int rdf = 0;
1355 		size_t len; /* how much rdata to plain copy */
1356 		size_t uncompressed_len, compressed_len;
1357 		size_t oldpos;
1358 		/* decompress dnames. */
1359 		while(rdlen > 0 && count) {
1360 			switch(desc->_wireformat[rdf]) {
1361 			case LDNS_RDF_TYPE_DNAME:
1362 				sldns_buffer_set_position(&pktbuf,
1363 					(size_t)(rd -
1364 					sldns_buffer_begin(&pktbuf)));
1365 				oldpos = sldns_buffer_position(&pktbuf);
1366 				/* moves pktbuf to right after the
1367 				 * compressed dname, and returns uncompressed
1368 				 * dname length */
1369 				uncompressed_len = pkt_dname_len(&pktbuf);
1370 				if(!uncompressed_len)
1371 					return 0; /* parse error in dname */
1372 				if(!sldns_buffer_available(buf,
1373 					uncompressed_len))
1374 					/* dname too long for buffer */
1375 					return 0;
1376 				dname_pkt_copy(&pktbuf,
1377 					sldns_buffer_current(buf), rd);
1378 				sldns_buffer_skip(buf, (ssize_t)uncompressed_len);
1379 				compressed_len = sldns_buffer_position(
1380 					&pktbuf) - oldpos;
1381 				rd += compressed_len;
1382 				rdlen -= compressed_len;
1383 				count--;
1384 				len = 0;
1385 				break;
1386 			case LDNS_RDF_TYPE_STR:
1387 				len = rd[0] + 1;
1388 				break;
1389 			default:
1390 				len = get_rdf_size(desc->_wireformat[rdf]);
1391 				break;
1392 			}
1393 			if(len) {
1394 				if(!sldns_buffer_available(buf, len))
1395 					return 0; /* too long for buffer */
1396 				sldns_buffer_write(buf, rd, len);
1397 				rd += len;
1398 				rdlen -= len;
1399 			}
1400 			rdf++;
1401 		}
1402 	}
1403 	/* copy remaining data */
1404 	if(rdlen > 0) {
1405 		if(!sldns_buffer_available(buf, rdlen)) return 0;
1406 		sldns_buffer_write(buf, rd, rdlen);
1407 	}
1408 	/* fixup rdlength */
1409 	sldns_buffer_write_u16_at(buf, rdlenpos,
1410 		sldns_buffer_position(buf)-rdlenpos-2);
1411 	sldns_buffer_flip(buf);
1412 	return 1;
1413 }
1414 
1415 /** insert RR into zone, from packet, decompress RR,
1416  * if duplicate is nonNULL set the flag but otherwise ignore duplicates */
1417 static int
1418 az_insert_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1419 	struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1420 	uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1421 	uint16_t rr_rdlen, int* duplicate)
1422 {
1423 	uint8_t* rr;
1424 	size_t rr_len;
1425 	size_t dname_len;
1426 	if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1427 		rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1428 		log_err("could not decompress RR");
1429 		return 0;
1430 	}
1431 	rr = sldns_buffer_begin(scratch_buffer);
1432 	rr_len = sldns_buffer_limit(scratch_buffer);
1433 	dname_len = dname_valid(rr, rr_len);
1434 	return az_insert_rr(z, rr, rr_len, dname_len, duplicate);
1435 }
1436 
1437 /** remove RR from zone, from packet, decompress RR,
1438  * if nonexist is nonNULL set the flag but otherwise ignore nonexisting entries*/
1439 static int
1440 az_remove_rr_decompress(struct auth_zone* z, uint8_t* pkt, size_t pktlen,
1441 	struct sldns_buffer* scratch_buffer, uint8_t* dname, uint16_t rr_type,
1442 	uint16_t rr_class, uint32_t rr_ttl, uint8_t* rr_data,
1443 	uint16_t rr_rdlen, int* nonexist)
1444 {
1445 	uint8_t* rr;
1446 	size_t rr_len;
1447 	size_t dname_len;
1448 	if(!decompress_rr_into_buffer(scratch_buffer, pkt, pktlen, dname,
1449 		rr_type, rr_class, rr_ttl, rr_data, rr_rdlen)) {
1450 		log_err("could not decompress RR");
1451 		return 0;
1452 	}
1453 	rr = sldns_buffer_begin(scratch_buffer);
1454 	rr_len = sldns_buffer_limit(scratch_buffer);
1455 	dname_len = dname_valid(rr, rr_len);
1456 	return az_remove_rr(z, rr, rr_len, dname_len, nonexist);
1457 }
1458 
1459 /**
1460  * Parse zonefile
1461  * @param z: zone to read in.
1462  * @param in: file to read from (just opened).
1463  * @param rr: buffer to use for RRs, 64k.
1464  *	passed so that recursive includes can use the same buffer and do
1465  *	not grow the stack too much.
1466  * @param rrbuflen: sizeof rr buffer.
1467  * @param state: parse state with $ORIGIN, $TTL and 'prev-dname' and so on,
1468  *	that is kept between includes.
1469  *	The lineno is set at 1 and then increased by the function.
1470  * @param fname: file name.
1471  * @param depth: recursion depth for includes
1472  * @param cfg: config for chroot.
1473  * returns false on failure, has printed an error message
1474  */
1475 static int
1476 az_parse_file(struct auth_zone* z, FILE* in, uint8_t* rr, size_t rrbuflen,
1477 	struct sldns_file_parse_state* state, char* fname, int depth,
1478 	struct config_file* cfg)
1479 {
1480 	size_t rr_len, dname_len;
1481 	int status;
1482 	state->lineno = 1;
1483 
1484 	while(!feof(in)) {
1485 		rr_len = rrbuflen;
1486 		dname_len = 0;
1487 		status = sldns_fp2wire_rr_buf(in, rr, &rr_len, &dname_len,
1488 			state);
1489 		if(status == LDNS_WIREPARSE_ERR_INCLUDE && rr_len == 0) {
1490 			/* we have $INCLUDE or $something */
1491 			if(strncmp((char*)rr, "$INCLUDE ", 9) == 0 ||
1492 			   strncmp((char*)rr, "$INCLUDE\t", 9) == 0) {
1493 				FILE* inc;
1494 				int lineno_orig = state->lineno;
1495 				char* incfile = (char*)rr + 8;
1496 				if(depth > MAX_INCLUDE_DEPTH) {
1497 					log_err("%s:%d max include depth"
1498 					  "exceeded", fname, state->lineno);
1499 					return 0;
1500 				}
1501 				/* skip spaces */
1502 				while(*incfile == ' ' || *incfile == '\t')
1503 					incfile++;
1504 				/* adjust for chroot on include file */
1505 				if(cfg->chrootdir && cfg->chrootdir[0] &&
1506 					strncmp(incfile, cfg->chrootdir,
1507 						strlen(cfg->chrootdir)) == 0)
1508 					incfile += strlen(cfg->chrootdir);
1509 				incfile = strdup(incfile);
1510 				if(!incfile) {
1511 					log_err("malloc failure");
1512 					return 0;
1513 				}
1514 				verbose(VERB_ALGO, "opening $INCLUDE %s",
1515 					incfile);
1516 				inc = fopen(incfile, "r");
1517 				if(!inc) {
1518 					log_err("%s:%d cannot open include "
1519 						"file %s: %s", fname,
1520 						lineno_orig, incfile,
1521 						strerror(errno));
1522 					free(incfile);
1523 					return 0;
1524 				}
1525 				/* recurse read that file now */
1526 				if(!az_parse_file(z, inc, rr, rrbuflen,
1527 					state, incfile, depth+1, cfg)) {
1528 					log_err("%s:%d cannot parse include "
1529 						"file %s", fname,
1530 						lineno_orig, incfile);
1531 					fclose(inc);
1532 					free(incfile);
1533 					return 0;
1534 				}
1535 				fclose(inc);
1536 				verbose(VERB_ALGO, "done with $INCLUDE %s",
1537 					incfile);
1538 				free(incfile);
1539 				state->lineno = lineno_orig;
1540 			}
1541 			continue;
1542 		}
1543 		if(status != 0) {
1544 			log_err("parse error %s %d:%d: %s", fname,
1545 				state->lineno, LDNS_WIREPARSE_OFFSET(status),
1546 				sldns_get_errorstr_parse(status));
1547 			return 0;
1548 		}
1549 		if(rr_len == 0) {
1550 			/* EMPTY line, TTL or ORIGIN */
1551 			continue;
1552 		}
1553 		/* insert wirerr in rrbuf */
1554 		if(!az_insert_rr(z, rr, rr_len, dname_len, NULL)) {
1555 			char buf[17];
1556 			sldns_wire2str_type_buf(sldns_wirerr_get_type(rr,
1557 				rr_len, dname_len), buf, sizeof(buf));
1558 			log_err("%s:%d cannot insert RR of type %s",
1559 				fname, state->lineno, buf);
1560 			return 0;
1561 		}
1562 	}
1563 	return 1;
1564 }
1565 
1566 int
1567 auth_zone_read_zonefile(struct auth_zone* z, struct config_file* cfg)
1568 {
1569 	uint8_t rr[LDNS_RR_BUF_SIZE];
1570 	struct sldns_file_parse_state state;
1571 	char* zfilename;
1572 	FILE* in;
1573 	if(!z || !z->zonefile || z->zonefile[0]==0)
1574 		return 1; /* no file, or "", nothing to read */
1575 
1576 	zfilename = z->zonefile;
1577 	if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
1578 		cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
1579 		zfilename += strlen(cfg->chrootdir);
1580 	if(verbosity >= VERB_ALGO) {
1581 		char nm[255+1];
1582 		dname_str(z->name, nm);
1583 		verbose(VERB_ALGO, "read zonefile %s for %s", zfilename, nm);
1584 	}
1585 	in = fopen(zfilename, "r");
1586 	if(!in) {
1587 		char* n = sldns_wire2str_dname(z->name, z->namelen);
1588 		if(z->zone_is_slave && errno == ENOENT) {
1589 			/* we fetch the zone contents later, no file yet */
1590 			verbose(VERB_ALGO, "no zonefile %s for %s",
1591 				zfilename, n?n:"error");
1592 			free(n);
1593 			return 1;
1594 		}
1595 		log_err("cannot open zonefile %s for %s: %s",
1596 			zfilename, n?n:"error", strerror(errno));
1597 		free(n);
1598 		return 0;
1599 	}
1600 
1601 	/* clear the data tree */
1602 	traverse_postorder(&z->data, auth_data_del, NULL);
1603 	rbtree_init(&z->data, &auth_data_cmp);
1604 	/* clear the RPZ policies */
1605 	if(z->rpz)
1606 		rpz_clear(z->rpz);
1607 
1608 	memset(&state, 0, sizeof(state));
1609 	/* default TTL to 3600 */
1610 	state.default_ttl = 3600;
1611 	/* set $ORIGIN to the zone name */
1612 	if(z->namelen <= sizeof(state.origin)) {
1613 		memcpy(state.origin, z->name, z->namelen);
1614 		state.origin_len = z->namelen;
1615 	}
1616 	/* parse the (toplevel) file */
1617 	if(!az_parse_file(z, in, rr, sizeof(rr), &state, zfilename, 0, cfg)) {
1618 		char* n = sldns_wire2str_dname(z->name, z->namelen);
1619 		log_err("error parsing zonefile %s for %s",
1620 			zfilename, n?n:"error");
1621 		free(n);
1622 		fclose(in);
1623 		return 0;
1624 	}
1625 	fclose(in);
1626 
1627 	if(z->rpz)
1628 		rpz_finish_config(z->rpz);
1629 	return 1;
1630 }
1631 
1632 /** write buffer to file and check return codes */
1633 static int
1634 write_out(FILE* out, const char* str, size_t len)
1635 {
1636 	size_t r;
1637 	if(len == 0)
1638 		return 1;
1639 	r = fwrite(str, 1, len, out);
1640 	if(r == 0) {
1641 		log_err("write failed: %s", strerror(errno));
1642 		return 0;
1643 	} else if(r < len) {
1644 		log_err("write failed: too short (disk full?)");
1645 		return 0;
1646 	}
1647 	return 1;
1648 }
1649 
1650 /** convert auth rr to string */
1651 static int
1652 auth_rr_to_string(uint8_t* nm, size_t nmlen, uint16_t tp, uint16_t cl,
1653 	struct packed_rrset_data* data, size_t i, char* s, size_t buflen)
1654 {
1655 	int w = 0;
1656 	size_t slen = buflen, datlen;
1657 	uint8_t* dat;
1658 	if(i >= data->count) tp = LDNS_RR_TYPE_RRSIG;
1659 	dat = nm;
1660 	datlen = nmlen;
1661 	w += sldns_wire2str_dname_scan(&dat, &datlen, &s, &slen, NULL, 0, NULL);
1662 	w += sldns_str_print(&s, &slen, "\t");
1663 	w += sldns_str_print(&s, &slen, "%lu\t", (unsigned long)data->rr_ttl[i]);
1664 	w += sldns_wire2str_class_print(&s, &slen, cl);
1665 	w += sldns_str_print(&s, &slen, "\t");
1666 	w += sldns_wire2str_type_print(&s, &slen, tp);
1667 	w += sldns_str_print(&s, &slen, "\t");
1668 	datlen = data->rr_len[i]-2;
1669 	dat = data->rr_data[i]+2;
1670 	w += sldns_wire2str_rdata_scan(&dat, &datlen, &s, &slen, tp, NULL, 0, NULL);
1671 
1672 	if(tp == LDNS_RR_TYPE_DNSKEY) {
1673 		w += sldns_str_print(&s, &slen, " ;{id = %u}",
1674 			sldns_calc_keytag_raw(data->rr_data[i]+2,
1675 				data->rr_len[i]-2));
1676 	}
1677 	w += sldns_str_print(&s, &slen, "\n");
1678 
1679 	if(w >= (int)buflen) {
1680 		log_nametypeclass(NO_VERBOSE, "RR too long to print", nm, tp, cl);
1681 		return 0;
1682 	}
1683 	return 1;
1684 }
1685 
1686 /** write rrset to file */
1687 static int
1688 auth_zone_write_rrset(struct auth_zone* z, struct auth_data* node,
1689 	struct auth_rrset* r, FILE* out)
1690 {
1691 	size_t i, count = r->data->count + r->data->rrsig_count;
1692 	char buf[LDNS_RR_BUF_SIZE];
1693 	for(i=0; i<count; i++) {
1694 		if(!auth_rr_to_string(node->name, node->namelen, r->type,
1695 			z->dclass, r->data, i, buf, sizeof(buf))) {
1696 			verbose(VERB_ALGO, "failed to rr2str rr %d", (int)i);
1697 			continue;
1698 		}
1699 		if(!write_out(out, buf, strlen(buf)))
1700 			return 0;
1701 	}
1702 	return 1;
1703 }
1704 
1705 /** write domain to file */
1706 static int
1707 auth_zone_write_domain(struct auth_zone* z, struct auth_data* n, FILE* out)
1708 {
1709 	struct auth_rrset* r;
1710 	/* if this is zone apex, write SOA first */
1711 	if(z->namelen == n->namelen) {
1712 		struct auth_rrset* soa = az_domain_rrset(n, LDNS_RR_TYPE_SOA);
1713 		if(soa) {
1714 			if(!auth_zone_write_rrset(z, n, soa, out))
1715 				return 0;
1716 		}
1717 	}
1718 	/* write all the RRsets for this domain */
1719 	for(r = n->rrsets; r; r = r->next) {
1720 		if(z->namelen == n->namelen &&
1721 			r->type == LDNS_RR_TYPE_SOA)
1722 			continue; /* skip SOA here */
1723 		if(!auth_zone_write_rrset(z, n, r, out))
1724 			return 0;
1725 	}
1726 	return 1;
1727 }
1728 
1729 int auth_zone_write_file(struct auth_zone* z, const char* fname)
1730 {
1731 	FILE* out;
1732 	struct auth_data* n;
1733 	out = fopen(fname, "w");
1734 	if(!out) {
1735 		log_err("could not open %s: %s", fname, strerror(errno));
1736 		return 0;
1737 	}
1738 	RBTREE_FOR(n, struct auth_data*, &z->data) {
1739 		if(!auth_zone_write_domain(z, n, out)) {
1740 			log_err("could not write domain to %s", fname);
1741 			fclose(out);
1742 			return 0;
1743 		}
1744 	}
1745 	fclose(out);
1746 	return 1;
1747 }
1748 
1749 /** offline verify for zonemd, while reading a zone file to immediately
1750  * spot bad hashes in zonefile as they are read.
1751  * Creates temp buffers, but uses anchors and validation environment
1752  * from the module_env. */
1753 static void
1754 zonemd_offline_verify(struct auth_zone* z, struct module_env* env_for_val,
1755 	struct module_stack* mods)
1756 {
1757 	struct module_env env;
1758 	time_t now = 0;
1759 	if(!z->zonemd_check)
1760 		return;
1761 	env = *env_for_val;
1762 	env.scratch_buffer = sldns_buffer_new(env.cfg->msg_buffer_size);
1763 	if(!env.scratch_buffer) {
1764 		log_err("out of memory");
1765 		goto clean_exit;
1766 	}
1767 	env.scratch = regional_create();
1768 	if(!env.now) {
1769 		env.now = &now;
1770 		now = time(NULL);
1771 	}
1772 	if(!env.scratch) {
1773 		log_err("out of memory");
1774 		goto clean_exit;
1775 	}
1776 	auth_zone_verify_zonemd(z, &env, mods, NULL, 1, 0);
1777 
1778 clean_exit:
1779 	/* clean up and exit */
1780 	sldns_buffer_free(env.scratch_buffer);
1781 	regional_destroy(env.scratch);
1782 }
1783 
1784 /** read all auth zones from file (if they have) */
1785 static int
1786 auth_zones_read_zones(struct auth_zones* az, struct config_file* cfg,
1787 	struct module_env* env, struct module_stack* mods)
1788 {
1789 	struct auth_zone* z;
1790 	lock_rw_wrlock(&az->lock);
1791 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
1792 		lock_rw_wrlock(&z->lock);
1793 		if(!auth_zone_read_zonefile(z, cfg)) {
1794 			lock_rw_unlock(&z->lock);
1795 			lock_rw_unlock(&az->lock);
1796 			return 0;
1797 		}
1798 		if(z->zonefile && z->zonefile[0]!=0 && env)
1799 			zonemd_offline_verify(z, env, mods);
1800 		lock_rw_unlock(&z->lock);
1801 	}
1802 	lock_rw_unlock(&az->lock);
1803 	return 1;
1804 }
1805 
1806 /** fetch the content of a ZONEMD RR from the rdata */
1807 static int zonemd_fetch_parameters(struct auth_rrset* zonemd_rrset, size_t i,
1808 	uint32_t* serial, int* scheme, int* hashalgo, uint8_t** hash,
1809 	size_t* hashlen)
1810 {
1811 	size_t rr_len;
1812 	uint8_t* rdata;
1813 	if(i >= zonemd_rrset->data->count)
1814 		return 0;
1815 	rr_len = zonemd_rrset->data->rr_len[i];
1816 	if(rr_len < 2+4+1+1)
1817 		return 0; /* too short, for rdlen+serial+scheme+algo */
1818 	rdata = zonemd_rrset->data->rr_data[i];
1819 	*serial = sldns_read_uint32(rdata+2);
1820 	*scheme = rdata[6];
1821 	*hashalgo = rdata[7];
1822 	*hashlen = rr_len - 8;
1823 	if(*hashlen == 0)
1824 		*hash = NULL;
1825 	else	*hash = rdata+8;
1826 	return 1;
1827 }
1828 
1829 /**
1830  * See if the ZONEMD scheme, hash occurs more than once.
1831  * @param zonemd_rrset: the zonemd rrset to check with the RRs in it.
1832  * @param index: index of the original, this is allowed to have that
1833  * 	scheme and hashalgo, but other RRs should not have it.
1834  * @param scheme: the scheme to check for.
1835  * @param hashalgo: the hash algorithm to check for.
1836  * @return true if it occurs more than once.
1837  */
1838 static int zonemd_is_duplicate_scheme_hash(struct auth_rrset* zonemd_rrset,
1839 	size_t index, int scheme, int hashalgo)
1840 {
1841 	size_t j;
1842 	for(j=0; j<zonemd_rrset->data->count; j++) {
1843 		uint32_t serial2 = 0;
1844 		int scheme2 = 0, hashalgo2 = 0;
1845 		uint8_t* hash2 = NULL;
1846 		size_t hashlen2 = 0;
1847 		if(index == j) {
1848 			/* this is the original */
1849 			continue;
1850 		}
1851 		if(!zonemd_fetch_parameters(zonemd_rrset, j, &serial2,
1852 			&scheme2, &hashalgo2, &hash2, &hashlen2)) {
1853 			/* malformed, skip it */
1854 			continue;
1855 		}
1856 		if(scheme == scheme2 && hashalgo == hashalgo2) {
1857 			/* duplicate scheme, hash */
1858 			verbose(VERB_ALGO, "zonemd duplicate for scheme %d "
1859 				"and hash %d", scheme, hashalgo);
1860 			return 1;
1861 		}
1862 	}
1863 	return 0;
1864 }
1865 
1866 /**
1867  * Check ZONEMDs if present for the auth zone.  Depending on config
1868  * it can warn or fail on that.  Checks the hash of the ZONEMD.
1869  * @param z: auth zone to check for.
1870  * 	caller must hold lock on zone.
1871  * @param env: module env for temp buffers.
1872  * @param reason: returned on failure.
1873  * @return false on failure, true if hash checks out.
1874  */
1875 static int auth_zone_zonemd_check_hash(struct auth_zone* z,
1876 	struct module_env* env, char** reason)
1877 {
1878 	/* loop over ZONEMDs and see which one is valid. if not print
1879 	 * failure (depending on config) */
1880 	struct auth_data* apex;
1881 	struct auth_rrset* zonemd_rrset;
1882 	size_t i;
1883 	struct regional* region = NULL;
1884 	struct sldns_buffer* buf = NULL;
1885 	uint32_t soa_serial = 0;
1886 	char* unsupported_reason = NULL;
1887 	int only_unsupported = 1;
1888 	region = env->scratch;
1889 	regional_free_all(region);
1890 	buf = env->scratch_buffer;
1891 	if(!auth_zone_get_serial(z, &soa_serial)) {
1892 		*reason = "zone has no SOA serial";
1893 		return 0;
1894 	}
1895 
1896 	apex = az_find_name(z, z->name, z->namelen);
1897 	if(!apex) {
1898 		*reason = "zone has no apex";
1899 		return 0;
1900 	}
1901 	zonemd_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_ZONEMD);
1902 	if(!zonemd_rrset || zonemd_rrset->data->count==0) {
1903 		*reason = "zone has no ZONEMD";
1904 		return 0; /* no RRset or no RRs in rrset */
1905 	}
1906 
1907 	/* we have a ZONEMD, check if it is correct */
1908 	for(i=0; i<zonemd_rrset->data->count; i++) {
1909 		uint32_t serial = 0;
1910 		int scheme = 0, hashalgo = 0;
1911 		uint8_t* hash = NULL;
1912 		size_t hashlen = 0;
1913 		if(!zonemd_fetch_parameters(zonemd_rrset, i, &serial, &scheme,
1914 			&hashalgo, &hash, &hashlen)) {
1915 			/* malformed RR */
1916 			*reason = "ZONEMD rdata malformed";
1917 			only_unsupported = 0;
1918 			continue;
1919 		}
1920 		/* check for duplicates */
1921 		if(zonemd_is_duplicate_scheme_hash(zonemd_rrset, i, scheme,
1922 			hashalgo)) {
1923 			/* duplicate hash of the same scheme,hash
1924 			 * is not allowed. */
1925 			*reason = "ZONEMD RRSet contains more than one RR "
1926 				"with the same scheme and hash algorithm";
1927 			only_unsupported = 0;
1928 			continue;
1929 		}
1930 		regional_free_all(region);
1931 		if(serial != soa_serial) {
1932 			*reason = "ZONEMD serial is wrong";
1933 			only_unsupported = 0;
1934 			continue;
1935 		}
1936 		*reason = NULL;
1937 		if(auth_zone_generate_zonemd_check(z, scheme, hashalgo,
1938 			hash, hashlen, region, buf, reason)) {
1939 			/* success */
1940 			if(*reason) {
1941 				if(!unsupported_reason)
1942 					unsupported_reason = *reason;
1943 				/* continue to check for valid ZONEMD */
1944 				if(verbosity >= VERB_ALGO) {
1945 					char zstr[255+1];
1946 					dname_str(z->name, zstr);
1947 					verbose(VERB_ALGO, "auth-zone %s ZONEMD %d %d is unsupported: %s", zstr, (int)scheme, (int)hashalgo, *reason);
1948 				}
1949 				*reason = NULL;
1950 				continue;
1951 			}
1952 			if(verbosity >= VERB_ALGO) {
1953 				char zstr[255+1];
1954 				dname_str(z->name, zstr);
1955 				if(!*reason)
1956 					verbose(VERB_ALGO, "auth-zone %s ZONEMD hash is correct", zstr);
1957 			}
1958 			return 1;
1959 		}
1960 		only_unsupported = 0;
1961 		/* try next one */
1962 	}
1963 	/* have we seen no failures but only unsupported algo,
1964 	 * and one unsupported algorithm, or more. */
1965 	if(only_unsupported && unsupported_reason) {
1966 		/* only unsupported algorithms, with valid serial, not
1967 		 * malformed. Did not see supported algorithms, failed or
1968 		 * successful ones. */
1969 		*reason = unsupported_reason;
1970 		return 1;
1971 	}
1972 	/* fail, we may have reason */
1973 	if(!*reason)
1974 		*reason = "no ZONEMD records found";
1975 	if(verbosity >= VERB_ALGO) {
1976 		char zstr[255+1];
1977 		dname_str(z->name, zstr);
1978 		verbose(VERB_ALGO, "auth-zone %s ZONEMD failed: %s", zstr, *reason);
1979 	}
1980 	return 0;
1981 }
1982 
1983 /** find the apex SOA RRset, if it exists */
1984 struct auth_rrset* auth_zone_get_soa_rrset(struct auth_zone* z)
1985 {
1986 	struct auth_data* apex;
1987 	struct auth_rrset* soa;
1988 	apex = az_find_name(z, z->name, z->namelen);
1989 	if(!apex) return NULL;
1990 	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
1991 	return soa;
1992 }
1993 
1994 /** find serial number of zone or false if none */
1995 int
1996 auth_zone_get_serial(struct auth_zone* z, uint32_t* serial)
1997 {
1998 	struct auth_data* apex;
1999 	struct auth_rrset* soa;
2000 	struct packed_rrset_data* d;
2001 	apex = az_find_name(z, z->name, z->namelen);
2002 	if(!apex) return 0;
2003 	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
2004 	if(!soa || soa->data->count==0)
2005 		return 0; /* no RRset or no RRs in rrset */
2006 	if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
2007 	d = soa->data;
2008 	*serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
2009 	return 1;
2010 }
2011 
2012 /** Find auth_zone SOA and populate the values in xfr(soa values). */
2013 int
2014 xfr_find_soa(struct auth_zone* z, struct auth_xfer* xfr)
2015 {
2016 	struct auth_data* apex;
2017 	struct auth_rrset* soa;
2018 	struct packed_rrset_data* d;
2019 	apex = az_find_name(z, z->name, z->namelen);
2020 	if(!apex) return 0;
2021 	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
2022 	if(!soa || soa->data->count==0)
2023 		return 0; /* no RRset or no RRs in rrset */
2024 	if(soa->data->rr_len[0] < 2+4*5) return 0; /* SOA too short */
2025 	/* SOA record ends with serial, refresh, retry, expiry, minimum,
2026 	 * as 4 byte fields */
2027 	d = soa->data;
2028 	xfr->have_zone = 1;
2029 	xfr->serial = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-20));
2030 	xfr->refresh = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-16));
2031 	xfr->retry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-12));
2032 	xfr->expiry = sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-8));
2033 	/* soa minimum at d->rr_len[0]-4 */
2034 	return 1;
2035 }
2036 
2037 /**
2038  * Setup auth_xfer zone
2039  * This populates the have_zone, soa values, and so on times.
2040  * Doesn't do network traffic yet, can set option flags.
2041  * @param z: locked by caller, and modified for setup
2042  * @param x: locked by caller, and modified.
2043  * @return false on failure.
2044  */
2045 static int
2046 auth_xfer_setup(struct auth_zone* z, struct auth_xfer* x)
2047 {
2048 	/* for a zone without zone transfers, x==NULL, so skip them,
2049 	 * i.e. the zone config is fixed with no masters or urls */
2050 	if(!z || !x) return 1;
2051 	if(!xfr_find_soa(z, x)) {
2052 		return 1;
2053 	}
2054 	/* nothing for probe, nextprobe and transfer tasks */
2055 	return 1;
2056 }
2057 
2058 /**
2059  * Setup all zones
2060  * @param az: auth zones structure
2061  * @return false on failure.
2062  */
2063 static int
2064 auth_zones_setup_zones(struct auth_zones* az)
2065 {
2066 	struct auth_zone* z;
2067 	struct auth_xfer* x;
2068 	lock_rw_wrlock(&az->lock);
2069 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
2070 		lock_rw_wrlock(&z->lock);
2071 		x = auth_xfer_find(az, z->name, z->namelen, z->dclass);
2072 		if(x) {
2073 			lock_basic_lock(&x->lock);
2074 		}
2075 		if(!auth_xfer_setup(z, x)) {
2076 			if(x) {
2077 				lock_basic_unlock(&x->lock);
2078 			}
2079 			lock_rw_unlock(&z->lock);
2080 			lock_rw_unlock(&az->lock);
2081 			return 0;
2082 		}
2083 		if(x) {
2084 			lock_basic_unlock(&x->lock);
2085 		}
2086 		lock_rw_unlock(&z->lock);
2087 	}
2088 	lock_rw_unlock(&az->lock);
2089 	return 1;
2090 }
2091 
2092 /** set config items and create zones */
2093 static int
2094 auth_zones_cfg(struct auth_zones* az, struct config_auth* c)
2095 {
2096 	struct auth_zone* z;
2097 	struct auth_xfer* x = NULL;
2098 
2099 	/* create zone */
2100 	if(c->isrpz) {
2101 		/* if the rpz lock is needed, grab it before the other
2102 		 * locks to avoid a lock dependency cycle */
2103 		lock_rw_wrlock(&az->rpz_lock);
2104 	}
2105 	lock_rw_wrlock(&az->lock);
2106 	if(!(z=auth_zones_find_or_add_zone(az, c->name))) {
2107 		lock_rw_unlock(&az->lock);
2108 		if(c->isrpz) {
2109 			lock_rw_unlock(&az->rpz_lock);
2110 		}
2111 		return 0;
2112 	}
2113 	if(c->masters || c->urls) {
2114 		if(!(x=auth_zones_find_or_add_xfer(az, z))) {
2115 			lock_rw_unlock(&az->lock);
2116 			lock_rw_unlock(&z->lock);
2117 			if(c->isrpz) {
2118 				lock_rw_unlock(&az->rpz_lock);
2119 			}
2120 			return 0;
2121 		}
2122 	}
2123 	if(c->for_downstream)
2124 		az->have_downstream = 1;
2125 	lock_rw_unlock(&az->lock);
2126 
2127 	/* set options */
2128 	z->zone_deleted = 0;
2129 	if(!auth_zone_set_zonefile(z, c->zonefile)) {
2130 		if(x) {
2131 			lock_basic_unlock(&x->lock);
2132 		}
2133 		lock_rw_unlock(&z->lock);
2134 		if(c->isrpz) {
2135 			lock_rw_unlock(&az->rpz_lock);
2136 		}
2137 		return 0;
2138 	}
2139 	z->for_downstream = c->for_downstream;
2140 	z->for_upstream = c->for_upstream;
2141 	z->fallback_enabled = c->fallback_enabled;
2142 	z->zonemd_check = c->zonemd_check;
2143 	z->zonemd_reject_absence = c->zonemd_reject_absence;
2144 	if(c->isrpz && !z->rpz){
2145 		if(!(z->rpz = rpz_create(c))){
2146 			fatal_exit("Could not setup RPZ zones");
2147 			return 0;
2148 		}
2149 		lock_protect(&z->lock, &z->rpz->local_zones, sizeof(*z->rpz));
2150 		/* the az->rpz_lock is locked above */
2151 		z->rpz_az_next = az->rpz_first;
2152 		if(az->rpz_first)
2153 			az->rpz_first->rpz_az_prev = z;
2154 		az->rpz_first = z;
2155 	} else if(c->isrpz && z->rpz) {
2156 		if(!rpz_config(z->rpz, c)) {
2157 			log_err("Could not change rpz config");
2158 			if(x) {
2159 				lock_basic_unlock(&x->lock);
2160 			}
2161 			lock_rw_unlock(&z->lock);
2162 			lock_rw_unlock(&az->rpz_lock);
2163 			return 0;
2164 		}
2165 	}
2166 	if(c->isrpz) {
2167 		lock_rw_unlock(&az->rpz_lock);
2168 	}
2169 
2170 	/* xfer zone */
2171 	if(x) {
2172 		z->zone_is_slave = 1;
2173 		/* set options on xfer zone */
2174 		if(!xfer_set_masters(&x->task_probe->masters, c, 0)) {
2175 			lock_basic_unlock(&x->lock);
2176 			lock_rw_unlock(&z->lock);
2177 			return 0;
2178 		}
2179 		if(!xfer_set_masters(&x->task_transfer->masters, c, 1)) {
2180 			lock_basic_unlock(&x->lock);
2181 			lock_rw_unlock(&z->lock);
2182 			return 0;
2183 		}
2184 		lock_basic_unlock(&x->lock);
2185 	}
2186 
2187 	lock_rw_unlock(&z->lock);
2188 	return 1;
2189 }
2190 
2191 /** set all auth zones deleted, then in auth_zones_cfg, it marks them
2192  * as nondeleted (if they are still in the config), and then later
2193  * we can find deleted zones */
2194 static void
2195 az_setall_deleted(struct auth_zones* az)
2196 {
2197 	struct auth_zone* z;
2198 	lock_rw_wrlock(&az->lock);
2199 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
2200 		lock_rw_wrlock(&z->lock);
2201 		z->zone_deleted = 1;
2202 		lock_rw_unlock(&z->lock);
2203 	}
2204 	lock_rw_unlock(&az->lock);
2205 }
2206 
2207 /** find zones that are marked deleted and delete them.
2208  * This is called from apply_cfg, and there are no threads and no
2209  * workers, so the xfr can just be deleted. */
2210 static void
2211 az_delete_deleted_zones(struct auth_zones* az)
2212 {
2213 	struct auth_zone* z;
2214 	struct auth_zone* delete_list = NULL, *next;
2215 	struct auth_xfer* xfr;
2216 	lock_rw_wrlock(&az->lock);
2217 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
2218 		lock_rw_wrlock(&z->lock);
2219 		if(z->zone_deleted) {
2220 			/* we cannot alter the rbtree right now, but
2221 			 * we can put it on a linked list and then
2222 			 * delete it */
2223 			z->delete_next = delete_list;
2224 			delete_list = z;
2225 		}
2226 		lock_rw_unlock(&z->lock);
2227 	}
2228 	/* now we are out of the tree loop and we can loop and delete
2229 	 * the zones */
2230 	z = delete_list;
2231 	while(z) {
2232 		next = z->delete_next;
2233 		xfr = auth_xfer_find(az, z->name, z->namelen, z->dclass);
2234 		if(xfr) {
2235 			(void)rbtree_delete(&az->xtree, &xfr->node);
2236 			auth_xfer_delete(xfr);
2237 		}
2238 		(void)rbtree_delete(&az->ztree, &z->node);
2239 		auth_zone_delete(z, az);
2240 		z = next;
2241 	}
2242 	lock_rw_unlock(&az->lock);
2243 }
2244 
2245 int auth_zones_apply_cfg(struct auth_zones* az, struct config_file* cfg,
2246 	int setup, int* is_rpz, struct module_env* env,
2247 	struct module_stack* mods)
2248 {
2249 	struct config_auth* p;
2250 	az_setall_deleted(az);
2251 	for(p = cfg->auths; p; p = p->next) {
2252 		if(!p->name || p->name[0] == 0) {
2253 			log_warn("auth-zone without a name, skipped");
2254 			continue;
2255 		}
2256 		*is_rpz = (*is_rpz || p->isrpz);
2257 		if(!auth_zones_cfg(az, p)) {
2258 			log_err("cannot config auth zone %s", p->name);
2259 			return 0;
2260 		}
2261 	}
2262 	az_delete_deleted_zones(az);
2263 	if(!auth_zones_read_zones(az, cfg, env, mods))
2264 		return 0;
2265 	if(setup) {
2266 		if(!auth_zones_setup_zones(az))
2267 			return 0;
2268 	}
2269 	return 1;
2270 }
2271 
2272 /** delete chunks
2273  * @param at: transfer structure with chunks list.  The chunks and their
2274  * 	data are freed.
2275  */
2276 static void
2277 auth_chunks_delete(struct auth_transfer* at)
2278 {
2279 	if(at->chunks_first) {
2280 		struct auth_chunk* c, *cn;
2281 		c = at->chunks_first;
2282 		while(c) {
2283 			cn = c->next;
2284 			free(c->data);
2285 			free(c);
2286 			c = cn;
2287 		}
2288 	}
2289 	at->chunks_first = NULL;
2290 	at->chunks_last = NULL;
2291 }
2292 
2293 /** free master addr list */
2294 static void
2295 auth_free_master_addrs(struct auth_addr* list)
2296 {
2297 	struct auth_addr *n;
2298 	while(list) {
2299 		n = list->next;
2300 		free(list);
2301 		list = n;
2302 	}
2303 }
2304 
2305 /** free the masters list */
2306 static void
2307 auth_free_masters(struct auth_master* list)
2308 {
2309 	struct auth_master* n;
2310 	while(list) {
2311 		n = list->next;
2312 		auth_free_master_addrs(list->list);
2313 		free(list->host);
2314 		free(list->file);
2315 		free(list);
2316 		list = n;
2317 	}
2318 }
2319 
2320 /** delete auth xfer structure
2321  * @param xfr: delete this xfer and its tasks.
2322  */
2323 static void
2324 auth_xfer_delete(struct auth_xfer* xfr)
2325 {
2326 	if(!xfr) return;
2327 	lock_basic_destroy(&xfr->lock);
2328 	free(xfr->name);
2329 	if(xfr->task_nextprobe) {
2330 		comm_timer_delete(xfr->task_nextprobe->timer);
2331 		free(xfr->task_nextprobe);
2332 	}
2333 	if(xfr->task_probe) {
2334 		auth_free_masters(xfr->task_probe->masters);
2335 		comm_point_delete(xfr->task_probe->cp);
2336 		comm_timer_delete(xfr->task_probe->timer);
2337 		free(xfr->task_probe);
2338 	}
2339 	if(xfr->task_transfer) {
2340 		auth_free_masters(xfr->task_transfer->masters);
2341 		comm_point_delete(xfr->task_transfer->cp);
2342 		comm_timer_delete(xfr->task_transfer->timer);
2343 		if(xfr->task_transfer->chunks_first) {
2344 			auth_chunks_delete(xfr->task_transfer);
2345 		}
2346 		free(xfr->task_transfer);
2347 	}
2348 	auth_free_masters(xfr->allow_notify_list);
2349 	free(xfr);
2350 }
2351 
2352 /** helper traverse to delete zones */
2353 static void
2354 auth_zone_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2355 {
2356 	struct auth_zone* z = (struct auth_zone*)n->key;
2357 	auth_zone_delete(z, NULL);
2358 }
2359 
2360 /** helper traverse to delete xfer zones */
2361 static void
2362 auth_xfer_del(rbnode_type* n, void* ATTR_UNUSED(arg))
2363 {
2364 	struct auth_xfer* z = (struct auth_xfer*)n->key;
2365 	auth_xfer_delete(z);
2366 }
2367 
2368 void auth_zones_delete(struct auth_zones* az)
2369 {
2370 	if(!az) return;
2371 	lock_rw_destroy(&az->lock);
2372 	lock_rw_destroy(&az->rpz_lock);
2373 	traverse_postorder(&az->ztree, auth_zone_del, NULL);
2374 	traverse_postorder(&az->xtree, auth_xfer_del, NULL);
2375 	free(az);
2376 }
2377 
2378 /** true if domain has only nsec3 */
2379 static int
2380 domain_has_only_nsec3(struct auth_data* n)
2381 {
2382 	struct auth_rrset* rrset = n->rrsets;
2383 	int nsec3_seen = 0;
2384 	while(rrset) {
2385 		if(rrset->type == LDNS_RR_TYPE_NSEC3) {
2386 			nsec3_seen = 1;
2387 		} else if(rrset->type != LDNS_RR_TYPE_RRSIG) {
2388 			return 0;
2389 		}
2390 		rrset = rrset->next;
2391 	}
2392 	return nsec3_seen;
2393 }
2394 
2395 /** see if the domain has a wildcard child '*.domain' */
2396 static struct auth_data*
2397 az_find_wildcard_domain(struct auth_zone* z, uint8_t* nm, size_t nmlen)
2398 {
2399 	uint8_t wc[LDNS_MAX_DOMAINLEN];
2400 	if(nmlen+2 > sizeof(wc))
2401 		return NULL; /* result would be too long */
2402 	wc[0] = 1; /* length of wildcard label */
2403 	wc[1] = (uint8_t)'*'; /* wildcard label */
2404 	memmove(wc+2, nm, nmlen);
2405 	return az_find_name(z, wc, nmlen+2);
2406 }
2407 
2408 /** find wildcard between qname and cename */
2409 static struct auth_data*
2410 az_find_wildcard(struct auth_zone* z, struct query_info* qinfo,
2411 	struct auth_data* ce)
2412 {
2413 	uint8_t* nm = qinfo->qname;
2414 	size_t nmlen = qinfo->qname_len;
2415 	struct auth_data* node;
2416 	if(!dname_subdomain_c(nm, z->name))
2417 		return NULL; /* out of zone */
2418 	while((node=az_find_wildcard_domain(z, nm, nmlen))==NULL) {
2419 		/* see if we can go up to find the wildcard */
2420 		if(nmlen == z->namelen)
2421 			return NULL; /* top of zone reached */
2422 		if(ce && nmlen == ce->namelen)
2423 			return NULL; /* ce reached */
2424 		if(dname_is_root(nm))
2425 			return NULL; /* cannot go up */
2426 		dname_remove_label(&nm, &nmlen);
2427 	}
2428 	return node;
2429 }
2430 
2431 /** domain is not exact, find first candidate ce (name that matches
2432  * a part of qname) in tree */
2433 static struct auth_data*
2434 az_find_candidate_ce(struct auth_zone* z, struct query_info* qinfo,
2435 	struct auth_data* n)
2436 {
2437 	uint8_t* nm;
2438 	size_t nmlen;
2439 	if(n) {
2440 		nm = dname_get_shared_topdomain(qinfo->qname, n->name);
2441 	} else {
2442 		nm = qinfo->qname;
2443 	}
2444 	dname_count_size_labels(nm, &nmlen);
2445 	n = az_find_name(z, nm, nmlen);
2446 	/* delete labels and go up on name */
2447 	while(!n) {
2448 		if(dname_is_root(nm))
2449 			return NULL; /* cannot go up */
2450 		dname_remove_label(&nm, &nmlen);
2451 		n = az_find_name(z, nm, nmlen);
2452 	}
2453 	return n;
2454 }
2455 
2456 /** go up the auth tree to next existing name. */
2457 static struct auth_data*
2458 az_domain_go_up(struct auth_zone* z, struct auth_data* n)
2459 {
2460 	uint8_t* nm = n->name;
2461 	size_t nmlen = n->namelen;
2462 	while(!dname_is_root(nm)) {
2463 		dname_remove_label(&nm, &nmlen);
2464 		if((n=az_find_name(z, nm, nmlen)) != NULL)
2465 			return n;
2466 	}
2467 	return NULL;
2468 }
2469 
2470 /** Find the closest encloser, an name that exists and is above the
2471  * qname.
2472  * return true if the node (param node) is existing, nonobscured and
2473  * 	can be used to generate answers from.  It is then also node_exact.
2474  * returns false if the node is not good enough (or it wasn't node_exact)
2475  *	in this case the ce can be filled.
2476  *	if ce is NULL, no ce exists, and likely the zone is completely empty,
2477  *	not even with a zone apex.
2478  *	if ce is nonNULL it is the closest enclosing upper name (that exists
2479  *	itself for answer purposes).  That name may have DNAME, NS or wildcard
2480  *	rrset is the closest DNAME or NS rrset that was found.
2481  */
2482 static int
2483 az_find_ce(struct auth_zone* z, struct query_info* qinfo,
2484 	struct auth_data* node, int node_exact, struct auth_data** ce,
2485 	struct auth_rrset** rrset)
2486 {
2487 	struct auth_data* n = node;
2488 	struct auth_rrset* lookrrset;
2489 	*ce = NULL;
2490 	*rrset = NULL;
2491 	if(!node_exact) {
2492 		/* if not exact, lookup closest exact match */
2493 		n = az_find_candidate_ce(z, qinfo, n);
2494 	} else {
2495 		/* if exact, the node itself is the first candidate ce */
2496 		*ce = n;
2497 	}
2498 
2499 	/* no direct answer from nsec3-only domains */
2500 	if(n && domain_has_only_nsec3(n)) {
2501 		node_exact = 0;
2502 		*ce = NULL;
2503 	}
2504 
2505 	/* with exact matches, walk up the labels until we find the
2506 	 * delegation, or DNAME or zone end */
2507 	while(n) {
2508 		/* see if the current candidate has issues */
2509 		/* not zone apex and has type NS */
2510 		if(n->namelen != z->namelen &&
2511 			(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_NS)) &&
2512 			/* delegate here, but DS at exact the dp has notype */
2513 			(qinfo->qtype != LDNS_RR_TYPE_DS ||
2514 			n->namelen != qinfo->qname_len)) {
2515 			/* referral */
2516 			/* this is ce and the lowernode is nonexisting */
2517 			*ce = n;
2518 			*rrset = lookrrset;
2519 			node_exact = 0;
2520 		}
2521 		/* not equal to qname and has type DNAME */
2522 		if(n->namelen != qinfo->qname_len &&
2523 			(lookrrset=az_domain_rrset(n, LDNS_RR_TYPE_DNAME))) {
2524 			/* this is ce and the lowernode is nonexisting */
2525 			*ce = n;
2526 			*rrset = lookrrset;
2527 			node_exact = 0;
2528 		}
2529 
2530 		if(*ce == NULL && !domain_has_only_nsec3(n)) {
2531 			/* if not found yet, this exact name must be
2532 			 * our lowest match (but not nsec3onlydomain) */
2533 			*ce = n;
2534 		}
2535 
2536 		/* walk up the tree by removing labels from name and lookup */
2537 		n = az_domain_go_up(z, n);
2538 	}
2539 	/* found no problems, if it was an exact node, it is fine to use */
2540 	return node_exact;
2541 }
2542 
2543 /** add additional A/AAAA from domain names in rrset rdata (+offset)
2544  * offset is number of bytes in rdata where the dname is located. */
2545 static int
2546 az_add_additionals_from(struct auth_zone* z, struct regional* region,
2547 	struct dns_msg* msg, struct auth_rrset* rrset, size_t offset)
2548 {
2549 	struct packed_rrset_data* d = rrset->data;
2550 	size_t i;
2551 	if(!d) return 0;
2552 	for(i=0; i<d->count; i++) {
2553 		size_t dlen;
2554 		struct auth_data* domain;
2555 		struct auth_rrset* ref;
2556 		if(d->rr_len[i] < 2+offset)
2557 			continue; /* too short */
2558 		if(!(dlen = dname_valid(d->rr_data[i]+2+offset,
2559 			d->rr_len[i]-2-offset)))
2560 			continue; /* malformed */
2561 		domain = az_find_name(z, d->rr_data[i]+2+offset, dlen);
2562 		if(!domain)
2563 			continue;
2564 		if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_A)) != NULL) {
2565 			if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2566 				return 0;
2567 		}
2568 		if((ref=az_domain_rrset(domain, LDNS_RR_TYPE_AAAA)) != NULL) {
2569 			if(!msg_add_rrset_ar(z, region, msg, domain, ref))
2570 				return 0;
2571 		}
2572 	}
2573 	return 1;
2574 }
2575 
2576 /** add negative SOA record (with negative TTL) */
2577 static int
2578 az_add_negative_soa(struct auth_zone* z, struct regional* region,
2579 	struct dns_msg* msg)
2580 {
2581 	time_t minimum;
2582 	size_t i;
2583 	struct packed_rrset_data* d;
2584 	struct auth_rrset* soa;
2585 	struct auth_data* apex = az_find_name(z, z->name, z->namelen);
2586 	if(!apex) return 0;
2587 	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
2588 	if(!soa) return 0;
2589 	/* must be first to put in message; we want to fix the TTL with
2590 	 * one RRset here, otherwise we'd need to loop over the RRs to get
2591 	 * the resulting lower TTL */
2592 	log_assert(msg->rep->rrset_count == 0);
2593 	if(!msg_add_rrset_ns(z, region, msg, apex, soa)) return 0;
2594 	/* fixup TTL */
2595 	d = (struct packed_rrset_data*)msg->rep->rrsets[msg->rep->rrset_count-1]->entry.data;
2596 	/* last 4 bytes are minimum ttl in network format */
2597 	if(d->count == 0) return 0;
2598 	if(d->rr_len[0] < 2+4) return 0;
2599 	minimum = (time_t)sldns_read_uint32(d->rr_data[0]+(d->rr_len[0]-4));
2600 	minimum = d->ttl<minimum?d->ttl:minimum;
2601 	d->ttl = minimum;
2602 	for(i=0; i < d->count + d->rrsig_count; i++)
2603 		d->rr_ttl[i] = minimum;
2604 	msg->rep->ttl = get_rrset_ttl(msg->rep->rrsets[0]);
2605 	msg->rep->prefetch_ttl = PREFETCH_TTL_CALC(msg->rep->ttl);
2606 	msg->rep->serve_expired_ttl = msg->rep->ttl + SERVE_EXPIRED_TTL;
2607 	return 1;
2608 }
2609 
2610 /** See if the query goes to empty nonterminal (that has no auth_data,
2611  * but there are nodes underneath.  We already checked that there are
2612  * not NS, or DNAME above, so that we only need to check if some node
2613  * exists below (with nonempty rr list), return true if emptynonterminal */
2614 static int
2615 az_empty_nonterminal(struct auth_zone* z, struct query_info* qinfo,
2616 	struct auth_data* node)
2617 {
2618 	struct auth_data* next;
2619 	if(!node) {
2620 		/* no smaller was found, use first (smallest) node as the
2621 		 * next one */
2622 		next = (struct auth_data*)rbtree_first(&z->data);
2623 	} else {
2624 		next = (struct auth_data*)rbtree_next(&node->node);
2625 	}
2626 	while(next && (rbnode_type*)next != RBTREE_NULL && next->rrsets == NULL) {
2627 		/* the next name has empty rrsets, is an empty nonterminal
2628 		 * itself, see if there exists something below it */
2629 		next = (struct auth_data*)rbtree_next(&node->node);
2630 	}
2631 	if((rbnode_type*)next == RBTREE_NULL || !next) {
2632 		/* there is no next node, so something below it cannot
2633 		 * exist */
2634 		return 0;
2635 	}
2636 	/* a next node exists, if there was something below the query,
2637 	 * this node has to be it.  See if it is below the query name */
2638 	if(dname_strict_subdomain_c(next->name, qinfo->qname))
2639 		return 1;
2640 	return 0;
2641 }
2642 
2643 /** create synth cname target name in buffer, or fail if too long */
2644 static size_t
2645 synth_cname_buf(uint8_t* qname, size_t qname_len, size_t dname_len,
2646 	uint8_t* dtarg, size_t dtarglen, uint8_t* buf, size_t buflen)
2647 {
2648 	size_t newlen = qname_len + dtarglen - dname_len;
2649 	if(newlen > buflen) {
2650 		/* YXDOMAIN error */
2651 		return 0;
2652 	}
2653 	/* new name is concatenation of qname front (without DNAME owner)
2654 	 * and DNAME target name */
2655 	memcpy(buf, qname, qname_len-dname_len);
2656 	memmove(buf+(qname_len-dname_len), dtarg, dtarglen);
2657 	return newlen;
2658 }
2659 
2660 /** create synthetic CNAME rrset for in a DNAME answer in region,
2661  * false on alloc failure, cname==NULL when name too long. */
2662 static int
2663 create_synth_cname(uint8_t* qname, size_t qname_len, struct regional* region,
2664 	struct auth_data* node, struct auth_rrset* dname, uint16_t dclass,
2665 	struct ub_packed_rrset_key** cname)
2666 {
2667 	uint8_t buf[LDNS_MAX_DOMAINLEN];
2668 	uint8_t* dtarg;
2669 	size_t dtarglen, newlen;
2670 	struct packed_rrset_data* d;
2671 
2672 	/* get DNAME target name */
2673 	if(dname->data->count < 1) return 0;
2674 	if(dname->data->rr_len[0] < 3) return 0; /* at least rdatalen +1 */
2675 	dtarg = dname->data->rr_data[0]+2;
2676 	dtarglen = dname->data->rr_len[0]-2;
2677 	if(sldns_read_uint16(dname->data->rr_data[0]) != dtarglen)
2678 		return 0; /* rdatalen in DNAME rdata is malformed */
2679 	if(dname_valid(dtarg, dtarglen) != dtarglen)
2680 		return 0; /* DNAME RR has malformed rdata */
2681 	if(qname_len == 0)
2682 		return 0; /* too short */
2683 	if(qname_len <= node->namelen)
2684 		return 0; /* qname too short for dname removal */
2685 
2686 	/* synthesize a CNAME */
2687 	newlen = synth_cname_buf(qname, qname_len, node->namelen,
2688 		dtarg, dtarglen, buf, sizeof(buf));
2689 	if(newlen == 0) {
2690 		/* YXDOMAIN error */
2691 		*cname = NULL;
2692 		return 1;
2693 	}
2694 	*cname = (struct ub_packed_rrset_key*)regional_alloc(region,
2695 		sizeof(struct ub_packed_rrset_key));
2696 	if(!*cname)
2697 		return 0; /* out of memory */
2698 	memset(&(*cname)->entry, 0, sizeof((*cname)->entry));
2699 	(*cname)->entry.key = (*cname);
2700 	(*cname)->rk.type = htons(LDNS_RR_TYPE_CNAME);
2701 	(*cname)->rk.rrset_class = htons(dclass);
2702 	(*cname)->rk.flags = 0;
2703 	(*cname)->rk.dname = regional_alloc_init(region, qname, qname_len);
2704 	if(!(*cname)->rk.dname)
2705 		return 0; /* out of memory */
2706 	(*cname)->rk.dname_len = qname_len;
2707 	(*cname)->entry.hash = rrset_key_hash(&(*cname)->rk);
2708 	d = (struct packed_rrset_data*)regional_alloc_zero(region,
2709 		sizeof(struct packed_rrset_data) + sizeof(size_t) +
2710 		sizeof(uint8_t*) + sizeof(time_t) + sizeof(uint16_t)
2711 		+ newlen);
2712 	if(!d)
2713 		return 0; /* out of memory */
2714 	(*cname)->entry.data = d;
2715 	d->ttl = dname->data->ttl; /* RFC6672: synth CNAME TTL == DNAME TTL */
2716 	d->count = 1;
2717 	d->rrsig_count = 0;
2718 	d->trust = rrset_trust_ans_noAA;
2719 	d->rr_len = (size_t*)((uint8_t*)d +
2720 		sizeof(struct packed_rrset_data));
2721 	d->rr_len[0] = newlen + sizeof(uint16_t);
2722 	packed_rrset_ptr_fixup(d);
2723 	d->rr_ttl[0] = d->ttl;
2724 	sldns_write_uint16(d->rr_data[0], newlen);
2725 	memmove(d->rr_data[0] + sizeof(uint16_t), buf, newlen);
2726 	return 1;
2727 }
2728 
2729 /** add a synthesized CNAME to the answer section */
2730 static int
2731 add_synth_cname(struct auth_zone* z, uint8_t* qname, size_t qname_len,
2732 	struct regional* region, struct dns_msg* msg, struct auth_data* dname,
2733 	struct auth_rrset* rrset)
2734 {
2735 	struct ub_packed_rrset_key* cname;
2736 	/* synthesize a CNAME */
2737 	if(!create_synth_cname(qname, qname_len, region, dname, rrset,
2738 		z->dclass, &cname)) {
2739 		/* out of memory */
2740 		return 0;
2741 	}
2742 	if(!cname) {
2743 		/* cname cannot be create because of YXDOMAIN */
2744 		msg->rep->flags |= LDNS_RCODE_YXDOMAIN;
2745 		return 1;
2746 	}
2747 	/* add cname to message */
2748 	if(!msg_grow_array(region, msg))
2749 		return 0;
2750 	msg->rep->rrsets[msg->rep->rrset_count] = cname;
2751 	msg->rep->rrset_count++;
2752 	msg->rep->an_numrrsets++;
2753 	msg_ttl(msg);
2754 	return 1;
2755 }
2756 
2757 /** Change a dname to a different one, for wildcard namechange */
2758 static void
2759 az_change_dnames(struct dns_msg* msg, uint8_t* oldname, uint8_t* newname,
2760 	size_t newlen, int an_only)
2761 {
2762 	size_t i;
2763 	size_t start = 0, end = msg->rep->rrset_count;
2764 	if(!an_only) start = msg->rep->an_numrrsets;
2765 	if(an_only) end = msg->rep->an_numrrsets;
2766 	for(i=start; i<end; i++) {
2767 		/* allocated in region so we can change the ptrs */
2768 		if(query_dname_compare(msg->rep->rrsets[i]->rk.dname, oldname)
2769 			== 0) {
2770 			msg->rep->rrsets[i]->rk.dname = newname;
2771 			msg->rep->rrsets[i]->rk.dname_len = newlen;
2772 			msg->rep->rrsets[i]->entry.hash = rrset_key_hash(&msg->rep->rrsets[i]->rk);
2773 		}
2774 	}
2775 }
2776 
2777 /** find NSEC record covering the query */
2778 static struct auth_rrset*
2779 az_find_nsec_cover(struct auth_zone* z, struct auth_data** node)
2780 {
2781 	uint8_t* nm = (*node)->name;
2782 	size_t nmlen = (*node)->namelen;
2783 	struct auth_rrset* rrset;
2784 	/* find the NSEC for the smallest-or-equal node */
2785 	/* if node == NULL, we did not find a smaller name.  But the zone
2786 	 * name is the smallest name and should have an NSEC. So there is
2787 	 * no NSEC to return (for a properly signed zone) */
2788 	/* for empty nonterminals, the auth-data node should not exist,
2789 	 * and thus we don't need to go rbtree_previous here to find
2790 	 * a domain with an NSEC record */
2791 	/* but there could be glue, and if this is node, then it has no NSEC.
2792 	 * Go up to find nonglue (previous) NSEC-holding nodes */
2793 	while((rrset=az_domain_rrset(*node, LDNS_RR_TYPE_NSEC)) == NULL) {
2794 		if(dname_is_root(nm)) return NULL;
2795 		if(nmlen == z->namelen) return NULL;
2796 		dname_remove_label(&nm, &nmlen);
2797 		/* adjust *node for the nsec rrset to find in */
2798 		*node = az_find_name(z, nm, nmlen);
2799 	}
2800 	return rrset;
2801 }
2802 
2803 /** Find NSEC and add for wildcard denial */
2804 static int
2805 az_nsec_wildcard_denial(struct auth_zone* z, struct regional* region,
2806 	struct dns_msg* msg, uint8_t* cenm, size_t cenmlen)
2807 {
2808 	struct query_info qinfo;
2809 	int node_exact;
2810 	struct auth_data* node;
2811 	struct auth_rrset* nsec;
2812 	uint8_t wc[LDNS_MAX_DOMAINLEN];
2813 	if(cenmlen+2 > sizeof(wc))
2814 		return 0; /* result would be too long */
2815 	wc[0] = 1; /* length of wildcard label */
2816 	wc[1] = (uint8_t)'*'; /* wildcard label */
2817 	memmove(wc+2, cenm, cenmlen);
2818 
2819 	/* we have '*.ce' in wc wildcard name buffer */
2820 	/* get nsec cover for that */
2821 	qinfo.qname = wc;
2822 	qinfo.qname_len = cenmlen+2;
2823 	qinfo.qtype = 0;
2824 	qinfo.qclass = 0;
2825 	az_find_domain(z, &qinfo, &node_exact, &node);
2826 	if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
2827 		if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
2828 	}
2829 	return 1;
2830 }
2831 
2832 /** Find the NSEC3PARAM rrset (if any) and if true you have the parameters */
2833 static int
2834 az_nsec3_param(struct auth_zone* z, int* algo, size_t* iter, uint8_t** salt,
2835 	size_t* saltlen)
2836 {
2837 	struct auth_data* apex;
2838 	struct auth_rrset* param;
2839 	size_t i;
2840 	apex = az_find_name(z, z->name, z->namelen);
2841 	if(!apex) return 0;
2842 	param = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC3PARAM);
2843 	if(!param || param->data->count==0)
2844 		return 0; /* no RRset or no RRs in rrset */
2845 	/* find out which NSEC3PARAM RR has supported parameters */
2846 	/* skip unknown flags (dynamic signer is recalculating nsec3 chain) */
2847 	for(i=0; i<param->data->count; i++) {
2848 		uint8_t* rdata = param->data->rr_data[i]+2;
2849 		size_t rdatalen = param->data->rr_len[i];
2850 		if(rdatalen < 2+5)
2851 			continue; /* too short */
2852 		if(!nsec3_hash_algo_size_supported((int)(rdata[0])))
2853 			continue; /* unsupported algo */
2854 		if(rdatalen < (size_t)(2+5+(size_t)rdata[4]))
2855 			continue; /* salt missing */
2856 		if((rdata[1]&NSEC3_UNKNOWN_FLAGS)!=0)
2857 			continue; /* unknown flags */
2858 		*algo = (int)(rdata[0]);
2859 		*iter = sldns_read_uint16(rdata+2);
2860 		*saltlen = rdata[4];
2861 		if(*saltlen == 0)
2862 			*salt = NULL;
2863 		else	*salt = rdata+5;
2864 		return 1;
2865 	}
2866 	/* no supported params */
2867 	return 0;
2868 }
2869 
2870 /** Hash a name with nsec3param into buffer, it has zone name appended.
2871  * return length of hash */
2872 static size_t
2873 az_nsec3_hash(uint8_t* buf, size_t buflen, uint8_t* nm, size_t nmlen,
2874 	int algo, size_t iter, uint8_t* salt, size_t saltlen)
2875 {
2876 	size_t hlen = nsec3_hash_algo_size_supported(algo);
2877 	/* buffer has domain name, nsec3hash, and 256 is for max saltlen
2878 	 * (salt has 0-255 length) */
2879 	unsigned char p[LDNS_MAX_DOMAINLEN+1+N3HASHBUFLEN+256];
2880 	size_t i;
2881 	if(nmlen+saltlen > sizeof(p) || hlen+saltlen > sizeof(p))
2882 		return 0;
2883 	if(hlen > buflen)
2884 		return 0; /* somehow too large for destination buffer */
2885 	/* hashfunc(name, salt) */
2886 	memmove(p, nm, nmlen);
2887 	query_dname_tolower(p);
2888 	if(salt && saltlen > 0)
2889 		memmove(p+nmlen, salt, saltlen);
2890 	(void)secalgo_nsec3_hash(algo, p, nmlen+saltlen, (unsigned char*)buf);
2891 	for(i=0; i<iter; i++) {
2892 		/* hashfunc(hash, salt) */
2893 		memmove(p, buf, hlen);
2894 		if(salt && saltlen > 0)
2895 			memmove(p+hlen, salt, saltlen);
2896 		(void)secalgo_nsec3_hash(algo, p, hlen+saltlen,
2897 			(unsigned char*)buf);
2898 	}
2899 	return hlen;
2900 }
2901 
2902 /** Hash name and return b32encoded hashname for lookup, zone name appended */
2903 static int
2904 az_nsec3_hashname(struct auth_zone* z, uint8_t* hashname, size_t* hashnmlen,
2905 	uint8_t* nm, size_t nmlen, int algo, size_t iter, uint8_t* salt,
2906 	size_t saltlen)
2907 {
2908 	uint8_t hash[N3HASHBUFLEN];
2909 	size_t hlen;
2910 	int ret;
2911 	hlen = az_nsec3_hash(hash, sizeof(hash), nm, nmlen, algo, iter,
2912 		salt, saltlen);
2913 	if(!hlen) return 0;
2914 	/* b32 encode */
2915 	if(*hashnmlen < hlen*2+1+z->namelen) /* approx b32 as hexb16 */
2916 		return 0;
2917 	ret = sldns_b32_ntop_extended_hex(hash, hlen, (char*)(hashname+1),
2918 		(*hashnmlen)-1);
2919 	if(ret<1)
2920 		return 0;
2921 	hashname[0] = (uint8_t)ret;
2922 	ret++;
2923 	if((*hashnmlen) - ret < z->namelen)
2924 		return 0;
2925 	memmove(hashname+ret, z->name, z->namelen);
2926 	*hashnmlen = z->namelen+(size_t)ret;
2927 	return 1;
2928 }
2929 
2930 /** Find the datanode that covers the nsec3hash-name */
2931 static struct auth_data*
2932 az_nsec3_findnode(struct auth_zone* z, uint8_t* hashnm, size_t hashnmlen)
2933 {
2934 	struct query_info qinfo;
2935 	struct auth_data* node;
2936 	int node_exact;
2937 	qinfo.qclass = 0;
2938 	qinfo.qtype = 0;
2939 	qinfo.qname = hashnm;
2940 	qinfo.qname_len = hashnmlen;
2941 	/* because canonical ordering and b32 nsec3 ordering are the same.
2942 	 * this is a good lookup to find the nsec3 name. */
2943 	az_find_domain(z, &qinfo, &node_exact, &node);
2944 	/* but we may have to skip non-nsec3 nodes */
2945 	/* this may be a lot, the way to speed that up is to have a
2946 	 * separate nsec3 tree with nsec3 nodes */
2947 	while(node && (rbnode_type*)node != RBTREE_NULL &&
2948 		!az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2949 		node = (struct auth_data*)rbtree_previous(&node->node);
2950 	}
2951 	if((rbnode_type*)node == RBTREE_NULL)
2952 		node = NULL;
2953 	return node;
2954 }
2955 
2956 /** Find cover for hashed(nm, nmlen) (or NULL) */
2957 static struct auth_data*
2958 az_nsec3_find_cover(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2959 	int algo, size_t iter, uint8_t* salt, size_t saltlen)
2960 {
2961 	struct auth_data* node;
2962 	uint8_t hname[LDNS_MAX_DOMAINLEN];
2963 	size_t hlen = sizeof(hname);
2964 	if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2965 		salt, saltlen))
2966 		return NULL;
2967 	node = az_nsec3_findnode(z, hname, hlen);
2968 	if(node)
2969 		return node;
2970 	/* we did not find any, perhaps because the NSEC3 hash is before
2971 	 * the first hash, we have to find the 'last hash' in the zone */
2972 	node = (struct auth_data*)rbtree_last(&z->data);
2973 	while(node && (rbnode_type*)node != RBTREE_NULL &&
2974 		!az_domain_rrset(node, LDNS_RR_TYPE_NSEC3)) {
2975 		node = (struct auth_data*)rbtree_previous(&node->node);
2976 	}
2977 	if((rbnode_type*)node == RBTREE_NULL)
2978 		node = NULL;
2979 	return node;
2980 }
2981 
2982 /** Find exact match for hashed(nm, nmlen) NSEC3 record or NULL */
2983 static struct auth_data*
2984 az_nsec3_find_exact(struct auth_zone* z, uint8_t* nm, size_t nmlen,
2985 	int algo, size_t iter, uint8_t* salt, size_t saltlen)
2986 {
2987 	struct auth_data* node;
2988 	uint8_t hname[LDNS_MAX_DOMAINLEN];
2989 	size_t hlen = sizeof(hname);
2990 	if(!az_nsec3_hashname(z, hname, &hlen, nm, nmlen, algo, iter,
2991 		salt, saltlen))
2992 		return NULL;
2993 	node = az_find_name(z, hname, hlen);
2994 	if(az_domain_rrset(node, LDNS_RR_TYPE_NSEC3))
2995 		return node;
2996 	return NULL;
2997 }
2998 
2999 /** Return nextcloser name (as a ref into the qname).  This is one label
3000  * more than the cenm (cename must be a suffix of qname) */
3001 static void
3002 az_nsec3_get_nextcloser(uint8_t* cenm, uint8_t* qname, size_t qname_len,
3003 	uint8_t** nx, size_t* nxlen)
3004 {
3005 	int celabs = dname_count_labels(cenm);
3006 	int qlabs = dname_count_labels(qname);
3007 	int strip = qlabs - celabs -1;
3008 	log_assert(dname_strict_subdomain(qname, qlabs, cenm, celabs));
3009 	*nx = qname;
3010 	*nxlen = qname_len;
3011 	if(strip>0)
3012 		dname_remove_labels(nx, nxlen, strip);
3013 }
3014 
3015 /** Find the closest encloser that has exact NSEC3.
3016  * updated cenm to the new name. If it went up no-exact-ce is true. */
3017 static struct auth_data*
3018 az_nsec3_find_ce(struct auth_zone* z, uint8_t** cenm, size_t* cenmlen,
3019 	int* no_exact_ce, int algo, size_t iter, uint8_t* salt, size_t saltlen)
3020 {
3021 	struct auth_data* node;
3022 	while((node = az_nsec3_find_exact(z, *cenm, *cenmlen,
3023 		algo, iter, salt, saltlen)) == NULL) {
3024 		if(*cenmlen == z->namelen) {
3025 			/* next step up would take us out of the zone. fail */
3026 			return NULL;
3027 		}
3028 		*no_exact_ce = 1;
3029 		dname_remove_label(cenm, cenmlen);
3030 	}
3031 	return node;
3032 }
3033 
3034 /* Insert NSEC3 record in authority section, if NULL does nothing */
3035 static int
3036 az_nsec3_insert(struct auth_zone* z, struct regional* region,
3037 	struct dns_msg* msg, struct auth_data* node)
3038 {
3039 	struct auth_rrset* nsec3;
3040 	if(!node) return 1; /* no node, skip this */
3041 	nsec3 = az_domain_rrset(node, LDNS_RR_TYPE_NSEC3);
3042 	if(!nsec3) return 1; /* if no nsec3 RR, skip it */
3043 	if(!msg_add_rrset_ns(z, region, msg, node, nsec3)) return 0;
3044 	return 1;
3045 }
3046 
3047 /** add NSEC3 records to the zone for the nsec3 proof.
3048  * Specify with the flags with parts of the proof are required.
3049  * the ce is the exact matching name (for notype) but also delegation points.
3050  * qname is the one where the nextcloser name can be derived from.
3051  * If NSEC3 is not properly there (in the zone) nothing is added.
3052  * always enabled: include nsec3 proving about the Closest Encloser.
3053  * 	that is an exact match that should exist for it.
3054  * 	If that does not exist, a higher exact match + nxproof is enabled
3055  * 	(for some sort of opt-out empty nonterminal cases).
3056  * nodataproof: search for exact match and include that instead.
3057  * ceproof: include ce proof NSEC3 (omitted for wildcard replies).
3058  * nxproof: include denial of the qname.
3059  * wcproof: include denial of wildcard (wildcard.ce).
3060  */
3061 static int
3062 az_add_nsec3_proof(struct auth_zone* z, struct regional* region,
3063 	struct dns_msg* msg, uint8_t* cenm, size_t cenmlen, uint8_t* qname,
3064 	size_t qname_len, int nodataproof, int ceproof, int nxproof,
3065 	int wcproof)
3066 {
3067 	int algo;
3068 	size_t iter, saltlen;
3069 	uint8_t* salt;
3070 	int no_exact_ce = 0;
3071 	struct auth_data* node;
3072 
3073 	/* find parameters of nsec3 proof */
3074 	if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen))
3075 		return 1; /* no nsec3 */
3076 	if(nodataproof) {
3077 		/* see if the node has a hash of itself for the nodata
3078 		 * proof nsec3, this has to be an exact match nsec3. */
3079 		struct auth_data* match;
3080 		match = az_nsec3_find_exact(z, qname, qname_len, algo,
3081 			iter, salt, saltlen);
3082 		if(match) {
3083 			if(!az_nsec3_insert(z, region, msg, match))
3084 				return 0;
3085 			/* only nodata NSEC3 needed, no CE or others. */
3086 			return 1;
3087 		}
3088 	}
3089 	/* find ce that has an NSEC3 */
3090 	if(ceproof) {
3091 		node = az_nsec3_find_ce(z, &cenm, &cenmlen, &no_exact_ce,
3092 			algo, iter, salt, saltlen);
3093 		if(no_exact_ce) nxproof = 1;
3094 		if(!az_nsec3_insert(z, region, msg, node))
3095 			return 0;
3096 	}
3097 
3098 	if(nxproof) {
3099 		uint8_t* nx;
3100 		size_t nxlen;
3101 		/* create nextcloser domain name */
3102 		az_nsec3_get_nextcloser(cenm, qname, qname_len, &nx, &nxlen);
3103 		/* find nsec3 that matches or covers it */
3104 		node = az_nsec3_find_cover(z, nx, nxlen, algo, iter, salt,
3105 			saltlen);
3106 		if(!az_nsec3_insert(z, region, msg, node))
3107 			return 0;
3108 	}
3109 	if(wcproof) {
3110 		/* create wildcard name *.ce */
3111 		uint8_t wc[LDNS_MAX_DOMAINLEN];
3112 		size_t wclen;
3113 		if(cenmlen+2 > sizeof(wc))
3114 			return 0; /* result would be too long */
3115 		wc[0] = 1; /* length of wildcard label */
3116 		wc[1] = (uint8_t)'*'; /* wildcard label */
3117 		memmove(wc+2, cenm, cenmlen);
3118 		wclen = cenmlen+2;
3119 		/* find nsec3 that matches or covers it */
3120 		node = az_nsec3_find_cover(z, wc, wclen, algo, iter, salt,
3121 			saltlen);
3122 		if(!az_nsec3_insert(z, region, msg, node))
3123 			return 0;
3124 	}
3125 	return 1;
3126 }
3127 
3128 /** generate answer for positive answer */
3129 static int
3130 az_generate_positive_answer(struct auth_zone* z, struct regional* region,
3131 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
3132 {
3133 	if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3134 	/* see if we want additional rrs */
3135 	if(rrset->type == LDNS_RR_TYPE_MX) {
3136 		if(!az_add_additionals_from(z, region, msg, rrset, 2))
3137 			return 0;
3138 	} else if(rrset->type == LDNS_RR_TYPE_SRV) {
3139 		if(!az_add_additionals_from(z, region, msg, rrset, 6))
3140 			return 0;
3141 	} else if(rrset->type == LDNS_RR_TYPE_NS) {
3142 		if(!az_add_additionals_from(z, region, msg, rrset, 0))
3143 			return 0;
3144 	}
3145 	return 1;
3146 }
3147 
3148 /** generate answer for type ANY answer */
3149 static int
3150 az_generate_any_answer(struct auth_zone* z, struct regional* region,
3151 	struct dns_msg* msg, struct auth_data* node)
3152 {
3153 	struct auth_rrset* rrset;
3154 	int added = 0;
3155 	/* add a couple (at least one) RRs */
3156 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_SOA)) != NULL) {
3157 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3158 		added++;
3159 	}
3160 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_MX)) != NULL) {
3161 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3162 		added++;
3163 	}
3164 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_A)) != NULL) {
3165 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3166 		added++;
3167 	}
3168 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_AAAA)) != NULL) {
3169 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3170 		added++;
3171 	}
3172 	if(added == 0 && node && node->rrsets) {
3173 		if(!msg_add_rrset_an(z, region, msg, node,
3174 			node->rrsets)) return 0;
3175 	}
3176 	return 1;
3177 }
3178 
3179 /** follow cname chain and add more data to the answer section */
3180 static int
3181 follow_cname_chain(struct auth_zone* z, uint16_t qtype,
3182 	struct regional* region, struct dns_msg* msg,
3183 	struct packed_rrset_data* d)
3184 {
3185 	int maxchain = 0;
3186 	/* see if we can add the target of the CNAME into the answer */
3187 	while(maxchain++ < MAX_CNAME_CHAIN) {
3188 		struct auth_data* node;
3189 		struct auth_rrset* rrset;
3190 		size_t clen;
3191 		/* d has cname rdata */
3192 		if(d->count == 0) break; /* no CNAME */
3193 		if(d->rr_len[0] < 2+1) break; /* too small */
3194 		if((clen=dname_valid(d->rr_data[0]+2, d->rr_len[0]-2))==0)
3195 			break; /* malformed */
3196 		if(!dname_subdomain_c(d->rr_data[0]+2, z->name))
3197 			break; /* target out of zone */
3198 		if((node = az_find_name(z, d->rr_data[0]+2, clen))==NULL)
3199 			break; /* no such target name */
3200 		if((rrset=az_domain_rrset(node, qtype))!=NULL) {
3201 			/* done we found the target */
3202 			if(!msg_add_rrset_an(z, region, msg, node, rrset))
3203 				return 0;
3204 			break;
3205 		}
3206 		if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME))==NULL)
3207 			break; /* no further CNAME chain, notype */
3208 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3209 		d = rrset->data;
3210 	}
3211 	return 1;
3212 }
3213 
3214 /** generate answer for cname answer */
3215 static int
3216 az_generate_cname_answer(struct auth_zone* z, struct query_info* qinfo,
3217 	struct regional* region, struct dns_msg* msg,
3218 	struct auth_data* node, struct auth_rrset* rrset)
3219 {
3220 	if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
3221 	if(!rrset) return 1;
3222 	if(!follow_cname_chain(z, qinfo->qtype, region, msg, rrset->data))
3223 		return 0;
3224 	return 1;
3225 }
3226 
3227 /** generate answer for notype answer */
3228 static int
3229 az_generate_notype_answer(struct auth_zone* z, struct regional* region,
3230 	struct dns_msg* msg, struct auth_data* node)
3231 {
3232 	struct auth_rrset* rrset;
3233 	if(!az_add_negative_soa(z, region, msg)) return 0;
3234 	/* DNSSEC denial NSEC */
3235 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_NSEC))!=NULL) {
3236 		if(!msg_add_rrset_ns(z, region, msg, node, rrset)) return 0;
3237 	} else if(node) {
3238 		/* DNSSEC denial NSEC3 */
3239 		if(!az_add_nsec3_proof(z, region, msg, node->name,
3240 			node->namelen, msg->qinfo.qname,
3241 			msg->qinfo.qname_len, 1, 1, 0, 0))
3242 			return 0;
3243 	}
3244 	return 1;
3245 }
3246 
3247 /** generate answer for referral answer */
3248 static int
3249 az_generate_referral_answer(struct auth_zone* z, struct regional* region,
3250 	struct dns_msg* msg, struct auth_data* ce, struct auth_rrset* rrset)
3251 {
3252 	struct auth_rrset* ds, *nsec;
3253 	/* turn off AA flag, referral is nonAA because it leaves the zone */
3254 	log_assert(ce);
3255 	msg->rep->flags &= ~BIT_AA;
3256 	if(!msg_add_rrset_ns(z, region, msg, ce, rrset)) return 0;
3257 	/* add DS or deny it */
3258 	if((ds=az_domain_rrset(ce, LDNS_RR_TYPE_DS))!=NULL) {
3259 		if(!msg_add_rrset_ns(z, region, msg, ce, ds)) return 0;
3260 	} else {
3261 		/* deny the DS */
3262 		if((nsec=az_domain_rrset(ce, LDNS_RR_TYPE_NSEC))!=NULL) {
3263 			if(!msg_add_rrset_ns(z, region, msg, ce, nsec))
3264 				return 0;
3265 		} else {
3266 			if(!az_add_nsec3_proof(z, region, msg, ce->name,
3267 				ce->namelen, msg->qinfo.qname,
3268 				msg->qinfo.qname_len, 1, 1, 0, 0))
3269 				return 0;
3270 		}
3271 	}
3272 	/* add additional rrs for type NS */
3273 	if(!az_add_additionals_from(z, region, msg, rrset, 0)) return 0;
3274 	return 1;
3275 }
3276 
3277 /** generate answer for DNAME answer */
3278 static int
3279 az_generate_dname_answer(struct auth_zone* z, struct query_info* qinfo,
3280 	struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3281 	struct auth_rrset* rrset)
3282 {
3283 	log_assert(ce);
3284 	/* add the DNAME and then a CNAME */
3285 	if(!msg_add_rrset_an(z, region, msg, ce, rrset)) return 0;
3286 	if(!add_synth_cname(z, qinfo->qname, qinfo->qname_len, region,
3287 		msg, ce, rrset)) return 0;
3288 	if(FLAGS_GET_RCODE(msg->rep->flags) == LDNS_RCODE_YXDOMAIN)
3289 		return 1;
3290 	if(msg->rep->rrset_count == 0 ||
3291 		!msg->rep->rrsets[msg->rep->rrset_count-1])
3292 		return 0;
3293 	if(!follow_cname_chain(z, qinfo->qtype, region, msg,
3294 		(struct packed_rrset_data*)msg->rep->rrsets[
3295 		msg->rep->rrset_count-1]->entry.data))
3296 		return 0;
3297 	return 1;
3298 }
3299 
3300 /** generate answer for wildcard answer */
3301 static int
3302 az_generate_wildcard_answer(struct auth_zone* z, struct query_info* qinfo,
3303 	struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3304 	struct auth_data* wildcard, struct auth_data* node)
3305 {
3306 	struct auth_rrset* rrset, *nsec;
3307 	int insert_ce = 0;
3308 	if((rrset=az_domain_rrset(wildcard, qinfo->qtype)) != NULL) {
3309 		/* wildcard has type, add it */
3310 		if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
3311 			return 0;
3312 		az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3313 			msg->qinfo.qname_len, 1);
3314 	} else if((rrset=az_domain_rrset(wildcard, LDNS_RR_TYPE_CNAME))!=NULL) {
3315 		/* wildcard has cname instead, do that */
3316 		if(!msg_add_rrset_an(z, region, msg, wildcard, rrset))
3317 			return 0;
3318 		az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3319 			msg->qinfo.qname_len, 1);
3320 		if(!follow_cname_chain(z, qinfo->qtype, region, msg,
3321 			rrset->data))
3322 			return 0;
3323 	} else if(qinfo->qtype == LDNS_RR_TYPE_ANY && wildcard->rrsets) {
3324 		/* add ANY rrsets from wildcard node */
3325 		if(!az_generate_any_answer(z, region, msg, wildcard))
3326 			return 0;
3327 		az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3328 			msg->qinfo.qname_len, 1);
3329 	} else {
3330 		/* wildcard has nodata, notype answer */
3331 		/* call other notype routine for dnssec notype denials */
3332 		if(!az_generate_notype_answer(z, region, msg, wildcard))
3333 			return 0;
3334 		/* because the notype, there is no positive data with an
3335 		 * RRSIG that indicates the wildcard position.  Thus the
3336 		 * wildcard qname denial needs to have a CE nsec3. */
3337 		insert_ce = 1;
3338 	}
3339 
3340 	/* ce and node for dnssec denial of wildcard original name */
3341 	if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3342 		if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3343 	} else if(ce) {
3344 		uint8_t* wildup = wildcard->name;
3345 		size_t wilduplen= wildcard->namelen;
3346 		dname_remove_label(&wildup, &wilduplen);
3347 		if(!az_add_nsec3_proof(z, region, msg, wildup,
3348 			wilduplen, msg->qinfo.qname,
3349 			msg->qinfo.qname_len, 0, insert_ce, 1, 0))
3350 			return 0;
3351 	}
3352 
3353 	/* fixup name of wildcard from *.zone to qname, use already allocated
3354 	 * pointer to msg qname */
3355 	az_change_dnames(msg, wildcard->name, msg->qinfo.qname,
3356 		msg->qinfo.qname_len, 0);
3357 	return 1;
3358 }
3359 
3360 /** generate answer for nxdomain answer */
3361 static int
3362 az_generate_nxdomain_answer(struct auth_zone* z, struct regional* region,
3363 	struct dns_msg* msg, struct auth_data* ce, struct auth_data* node)
3364 {
3365 	struct auth_rrset* nsec;
3366 	msg->rep->flags |= LDNS_RCODE_NXDOMAIN;
3367 	if(!az_add_negative_soa(z, region, msg)) return 0;
3368 	if((nsec=az_find_nsec_cover(z, &node)) != NULL) {
3369 		if(!msg_add_rrset_ns(z, region, msg, node, nsec)) return 0;
3370 		if(ce && !az_nsec_wildcard_denial(z, region, msg, ce->name,
3371 			ce->namelen)) return 0;
3372 	} else if(ce) {
3373 		if(!az_add_nsec3_proof(z, region, msg, ce->name,
3374 			ce->namelen, msg->qinfo.qname,
3375 			msg->qinfo.qname_len, 0, 1, 1, 1))
3376 			return 0;
3377 	}
3378 	return 1;
3379 }
3380 
3381 /** Create answers when an exact match exists for the domain name */
3382 static int
3383 az_generate_answer_with_node(struct auth_zone* z, struct query_info* qinfo,
3384 	struct regional* region, struct dns_msg* msg, struct auth_data* node)
3385 {
3386 	struct auth_rrset* rrset;
3387 	/* positive answer, rrset we are looking for exists */
3388 	if((rrset=az_domain_rrset(node, qinfo->qtype)) != NULL) {
3389 		return az_generate_positive_answer(z, region, msg, node, rrset);
3390 	}
3391 	/* CNAME? */
3392 	if((rrset=az_domain_rrset(node, LDNS_RR_TYPE_CNAME)) != NULL) {
3393 		return az_generate_cname_answer(z, qinfo, region, msg,
3394 			node, rrset);
3395 	}
3396 	/* type ANY ? */
3397 	if(qinfo->qtype == LDNS_RR_TYPE_ANY) {
3398 		return az_generate_any_answer(z, region, msg, node);
3399 	}
3400 	/* NOERROR/NODATA (no such type at domain name) */
3401 	return az_generate_notype_answer(z, region, msg, node);
3402 }
3403 
3404 /** Generate answer without an existing-node that we can use.
3405  * So it'll be a referral, DNAME or nxdomain */
3406 static int
3407 az_generate_answer_nonexistnode(struct auth_zone* z, struct query_info* qinfo,
3408 	struct regional* region, struct dns_msg* msg, struct auth_data* ce,
3409 	struct auth_rrset* rrset, struct auth_data* node)
3410 {
3411 	struct auth_data* wildcard;
3412 
3413 	/* we do not have an exact matching name (that exists) */
3414 	/* see if we have a NS or DNAME in the ce */
3415 	if(ce && rrset && rrset->type == LDNS_RR_TYPE_NS) {
3416 		return az_generate_referral_answer(z, region, msg, ce, rrset);
3417 	}
3418 	if(ce && rrset && rrset->type == LDNS_RR_TYPE_DNAME) {
3419 		return az_generate_dname_answer(z, qinfo, region, msg, ce,
3420 			rrset);
3421 	}
3422 	/* if there is an empty nonterminal, wildcard and nxdomain don't
3423 	 * happen, it is a notype answer */
3424 	if(az_empty_nonterminal(z, qinfo, node)) {
3425 		return az_generate_notype_answer(z, region, msg, node);
3426 	}
3427 	/* see if we have a wildcard under the ce */
3428 	if((wildcard=az_find_wildcard(z, qinfo, ce)) != NULL) {
3429 		return az_generate_wildcard_answer(z, qinfo, region, msg,
3430 			ce, wildcard, node);
3431 	}
3432 	/* generate nxdomain answer */
3433 	return az_generate_nxdomain_answer(z, region, msg, ce, node);
3434 }
3435 
3436 /** Lookup answer in a zone. */
3437 static int
3438 auth_zone_generate_answer(struct auth_zone* z, struct query_info* qinfo,
3439 	struct regional* region, struct dns_msg** msg, int* fallback)
3440 {
3441 	struct auth_data* node, *ce;
3442 	struct auth_rrset* rrset;
3443 	int node_exact, node_exists;
3444 	/* does the zone want fallback in case of failure? */
3445 	*fallback = z->fallback_enabled;
3446 	if(!(*msg=msg_create(region, qinfo))) return 0;
3447 
3448 	/* lookup if there is a matching domain name for the query */
3449 	az_find_domain(z, qinfo, &node_exact, &node);
3450 
3451 	/* see if node exists for generating answers from (i.e. not glue and
3452 	 * obscured by NS or DNAME or NSEC3-only), and also return the
3453 	 * closest-encloser from that, closest node that should be used
3454 	 * to generate answers from that is above the query */
3455 	node_exists = az_find_ce(z, qinfo, node, node_exact, &ce, &rrset);
3456 
3457 	if(verbosity >= VERB_ALGO) {
3458 		char zname[256], qname[256], nname[256], cename[256],
3459 			tpstr[32], rrstr[32];
3460 		sldns_wire2str_dname_buf(qinfo->qname, qinfo->qname_len, qname,
3461 			sizeof(qname));
3462 		sldns_wire2str_type_buf(qinfo->qtype, tpstr, sizeof(tpstr));
3463 		sldns_wire2str_dname_buf(z->name, z->namelen, zname,
3464 			sizeof(zname));
3465 		if(node)
3466 			sldns_wire2str_dname_buf(node->name, node->namelen,
3467 				nname, sizeof(nname));
3468 		else	snprintf(nname, sizeof(nname), "NULL");
3469 		if(ce)
3470 			sldns_wire2str_dname_buf(ce->name, ce->namelen,
3471 				cename, sizeof(cename));
3472 		else	snprintf(cename, sizeof(cename), "NULL");
3473 		if(rrset) sldns_wire2str_type_buf(rrset->type, rrstr,
3474 			sizeof(rrstr));
3475 		else	snprintf(rrstr, sizeof(rrstr), "NULL");
3476 		log_info("auth_zone %s query %s %s, domain %s %s %s, "
3477 			"ce %s, rrset %s", zname, qname, tpstr, nname,
3478 			(node_exact?"exact":"notexact"),
3479 			(node_exists?"exist":"notexist"), cename, rrstr);
3480 	}
3481 
3482 	if(node_exists) {
3483 		/* the node is fine, generate answer from node */
3484 		return az_generate_answer_with_node(z, qinfo, region, *msg,
3485 			node);
3486 	}
3487 	return az_generate_answer_nonexistnode(z, qinfo, region, *msg,
3488 		ce, rrset, node);
3489 }
3490 
3491 int auth_zones_lookup(struct auth_zones* az, struct query_info* qinfo,
3492 	struct regional* region, struct dns_msg** msg, int* fallback,
3493 	uint8_t* dp_nm, size_t dp_nmlen)
3494 {
3495 	int r;
3496 	struct auth_zone* z;
3497 	/* find the zone that should contain the answer. */
3498 	lock_rw_rdlock(&az->lock);
3499 	z = auth_zone_find(az, dp_nm, dp_nmlen, qinfo->qclass);
3500 	if(!z) {
3501 		lock_rw_unlock(&az->lock);
3502 		/* no auth zone, fallback to internet */
3503 		*fallback = 1;
3504 		return 0;
3505 	}
3506 	lock_rw_rdlock(&z->lock);
3507 	lock_rw_unlock(&az->lock);
3508 
3509 	/* if not for upstream queries, fallback */
3510 	if(!z->for_upstream) {
3511 		lock_rw_unlock(&z->lock);
3512 		*fallback = 1;
3513 		return 0;
3514 	}
3515 	if(z->zone_expired) {
3516 		*fallback = z->fallback_enabled;
3517 		lock_rw_unlock(&z->lock);
3518 		return 0;
3519 	}
3520 	/* see what answer that zone would generate */
3521 	r = auth_zone_generate_answer(z, qinfo, region, msg, fallback);
3522 	lock_rw_unlock(&z->lock);
3523 	return r;
3524 }
3525 
3526 /** encode auth answer */
3527 static void
3528 auth_answer_encode(struct query_info* qinfo, struct module_env* env,
3529 	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3530 	struct regional* temp, struct dns_msg* msg)
3531 {
3532 	uint16_t udpsize;
3533 	udpsize = edns->udp_size;
3534 	edns->edns_version = EDNS_ADVERTISED_VERSION;
3535 	edns->udp_size = EDNS_ADVERTISED_SIZE;
3536 	edns->ext_rcode = 0;
3537 	edns->bits &= EDNS_DO;
3538 
3539 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, msg->rep,
3540 		(int)FLAGS_GET_RCODE(msg->rep->flags), edns, repinfo, temp, env->now_tv)
3541 		|| !reply_info_answer_encode(qinfo, msg->rep,
3542 		*(uint16_t*)sldns_buffer_begin(buf),
3543 		sldns_buffer_read_u16_at(buf, 2),
3544 		buf, 0, 0, temp, udpsize, edns,
3545 		(int)(edns->bits&EDNS_DO), 0)) {
3546 		error_encode(buf, (LDNS_RCODE_SERVFAIL|BIT_AA), qinfo,
3547 			*(uint16_t*)sldns_buffer_begin(buf),
3548 			sldns_buffer_read_u16_at(buf, 2), edns);
3549 	}
3550 }
3551 
3552 /** encode auth error answer */
3553 static void
3554 auth_error_encode(struct query_info* qinfo, struct module_env* env,
3555 	struct edns_data* edns, struct comm_reply* repinfo, sldns_buffer* buf,
3556 	struct regional* temp, int rcode)
3557 {
3558 	edns->edns_version = EDNS_ADVERTISED_VERSION;
3559 	edns->udp_size = EDNS_ADVERTISED_SIZE;
3560 	edns->ext_rcode = 0;
3561 	edns->bits &= EDNS_DO;
3562 
3563 	if(!inplace_cb_reply_local_call(env, qinfo, NULL, NULL,
3564 		rcode, edns, repinfo, temp, env->now_tv))
3565 		edns->opt_list_inplace_cb_out = NULL;
3566 	error_encode(buf, rcode|BIT_AA, qinfo,
3567 		*(uint16_t*)sldns_buffer_begin(buf),
3568 		sldns_buffer_read_u16_at(buf, 2), edns);
3569 }
3570 
3571 int auth_zones_answer(struct auth_zones* az, struct module_env* env,
3572 	struct query_info* qinfo, struct edns_data* edns,
3573 	struct comm_reply* repinfo, struct sldns_buffer* buf, struct regional* temp)
3574 {
3575 	struct dns_msg* msg = NULL;
3576 	struct auth_zone* z;
3577 	int r;
3578 	int fallback = 0;
3579 
3580 	lock_rw_rdlock(&az->lock);
3581 	if(!az->have_downstream) {
3582 		/* no downstream auth zones */
3583 		lock_rw_unlock(&az->lock);
3584 		return 0;
3585 	}
3586 	if(qinfo->qtype == LDNS_RR_TYPE_DS) {
3587 		uint8_t* delname = qinfo->qname;
3588 		size_t delnamelen = qinfo->qname_len;
3589 		dname_remove_label(&delname, &delnamelen);
3590 		z = auth_zones_find_zone(az, delname, delnamelen,
3591 			qinfo->qclass);
3592 	} else {
3593 		z = auth_zones_find_zone(az, qinfo->qname, qinfo->qname_len,
3594 			qinfo->qclass);
3595 	}
3596 	if(!z) {
3597 		/* no zone above it */
3598 		lock_rw_unlock(&az->lock);
3599 		return 0;
3600 	}
3601 	lock_rw_rdlock(&z->lock);
3602 	lock_rw_unlock(&az->lock);
3603 	if(!z->for_downstream) {
3604 		lock_rw_unlock(&z->lock);
3605 		return 0;
3606 	}
3607 	if(z->zone_expired) {
3608 		if(z->fallback_enabled) {
3609 			lock_rw_unlock(&z->lock);
3610 			return 0;
3611 		}
3612 		lock_rw_unlock(&z->lock);
3613 		lock_rw_wrlock(&az->lock);
3614 		az->num_query_down++;
3615 		lock_rw_unlock(&az->lock);
3616 		auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3617 			LDNS_RCODE_SERVFAIL);
3618 		return 1;
3619 	}
3620 
3621 	/* answer it from zone z */
3622 	r = auth_zone_generate_answer(z, qinfo, temp, &msg, &fallback);
3623 	lock_rw_unlock(&z->lock);
3624 	if(!r && fallback) {
3625 		/* fallback to regular answering (recursive) */
3626 		return 0;
3627 	}
3628 	lock_rw_wrlock(&az->lock);
3629 	az->num_query_down++;
3630 	lock_rw_unlock(&az->lock);
3631 
3632 	/* encode answer */
3633 	if(!r)
3634 		auth_error_encode(qinfo, env, edns, repinfo, buf, temp,
3635 			LDNS_RCODE_SERVFAIL);
3636 	else	auth_answer_encode(qinfo, env, edns, repinfo, buf, temp, msg);
3637 
3638 	return 1;
3639 }
3640 
3641 int auth_zones_can_fallback(struct auth_zones* az, uint8_t* nm, size_t nmlen,
3642 	uint16_t dclass)
3643 {
3644 	int r;
3645 	struct auth_zone* z;
3646 	lock_rw_rdlock(&az->lock);
3647 	z = auth_zone_find(az, nm, nmlen, dclass);
3648 	if(!z) {
3649 		lock_rw_unlock(&az->lock);
3650 		/* no such auth zone, fallback */
3651 		return 1;
3652 	}
3653 	lock_rw_rdlock(&z->lock);
3654 	lock_rw_unlock(&az->lock);
3655 	r = z->fallback_enabled || (!z->for_upstream);
3656 	lock_rw_unlock(&z->lock);
3657 	return r;
3658 }
3659 
3660 int
3661 auth_zone_parse_notify_serial(sldns_buffer* pkt, uint32_t *serial)
3662 {
3663 	struct query_info q;
3664 	uint16_t rdlen;
3665 	memset(&q, 0, sizeof(q));
3666 	sldns_buffer_set_position(pkt, 0);
3667 	if(!query_info_parse(&q, pkt)) return 0;
3668 	if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0) return 0;
3669 	/* skip name of RR in answer section */
3670 	if(sldns_buffer_remaining(pkt) < 1) return 0;
3671 	if(pkt_dname_len(pkt) == 0) return 0;
3672 	/* check type */
3673 	if(sldns_buffer_remaining(pkt) < 10 /* type,class,ttl,rdatalen*/)
3674 		return 0;
3675 	if(sldns_buffer_read_u16(pkt) != LDNS_RR_TYPE_SOA) return 0;
3676 	sldns_buffer_skip(pkt, 2); /* class */
3677 	sldns_buffer_skip(pkt, 4); /* ttl */
3678 	rdlen = sldns_buffer_read_u16(pkt); /* rdatalen */
3679 	if(sldns_buffer_remaining(pkt) < rdlen) return 0;
3680 	if(rdlen < 22) return 0; /* bad soa length */
3681 	sldns_buffer_skip(pkt, (ssize_t)(rdlen-20));
3682 	*serial = sldns_buffer_read_u32(pkt);
3683 	/* return true when has serial in answer section */
3684 	return 1;
3685 }
3686 
3687 /** print addr to str, and if not 53, append "@port_number", for logs. */
3688 static void addr_port_to_str(struct sockaddr_storage* addr, socklen_t addrlen,
3689 	char* buf, size_t len)
3690 {
3691 	uint16_t port = 0;
3692 	if(addr_is_ip6(addr, addrlen)) {
3693 		struct sockaddr_in6* sa = (struct sockaddr_in6*)addr;
3694 		port = ntohs((uint16_t)sa->sin6_port);
3695 	} else {
3696 		struct sockaddr_in* sa = (struct sockaddr_in*)addr;
3697 		port = ntohs((uint16_t)sa->sin_port);
3698 	}
3699 	if(port == UNBOUND_DNS_PORT) {
3700 		/* If it is port 53, print it plainly. */
3701 		addr_to_str(addr, addrlen, buf, len);
3702 	} else {
3703 		char a[256];
3704 		a[0]=0;
3705 		addr_to_str(addr, addrlen, a, sizeof(a));
3706 		snprintf(buf, len, "%s@%d", a, (int)port);
3707 	}
3708 }
3709 
3710 /** see if addr appears in the list */
3711 static int
3712 addr_in_list(struct auth_addr* list, struct sockaddr_storage* addr,
3713 	socklen_t addrlen)
3714 {
3715 	struct auth_addr* p;
3716 	for(p=list; p; p=p->next) {
3717 		if(sockaddr_cmp_addr(addr, addrlen, &p->addr, p->addrlen)==0)
3718 			return 1;
3719 	}
3720 	return 0;
3721 }
3722 
3723 /** check if an address matches a master specification (or one of its
3724  * addresses in the addr list) */
3725 static int
3726 addr_matches_master(struct auth_master* master, struct sockaddr_storage* addr,
3727 	socklen_t addrlen, struct auth_master** fromhost)
3728 {
3729 	struct sockaddr_storage a;
3730 	socklen_t alen = 0;
3731 	int net = 0;
3732 	if(addr_in_list(master->list, addr, addrlen)) {
3733 		*fromhost = master;
3734 		return 1;
3735 	}
3736 	/* compare address (but not port number, that is the destination
3737 	 * port of the master, the port number of the received notify is
3738 	 * allowed to by any port on that master) */
3739 	if(extstrtoaddr(master->host, &a, &alen, UNBOUND_DNS_PORT) &&
3740 		sockaddr_cmp_addr(addr, addrlen, &a, alen)==0) {
3741 		*fromhost = master;
3742 		return 1;
3743 	}
3744 	/* prefixes, addr/len, like 10.0.0.0/8 */
3745 	/* not http and has a / and there is one / */
3746 	if(master->allow_notify && !master->http &&
3747 		strchr(master->host, '/') != NULL &&
3748 		strchr(master->host, '/') == strrchr(master->host, '/') &&
3749 		netblockstrtoaddr(master->host, UNBOUND_DNS_PORT, &a, &alen,
3750 		&net) && alen == addrlen) {
3751 		if(addr_in_common(addr, (addr_is_ip6(addr, addrlen)?128:32),
3752 			&a, net, alen) >= net) {
3753 			*fromhost = NULL; /* prefix does not have destination
3754 				to send the probe or transfer with */
3755 			return 1; /* matches the netblock */
3756 		}
3757 	}
3758 	return 0;
3759 }
3760 
3761 /** check access list for notifies */
3762 static int
3763 az_xfr_allowed_notify(struct auth_xfer* xfr, struct sockaddr_storage* addr,
3764 	socklen_t addrlen, struct auth_master** fromhost)
3765 {
3766 	struct auth_master* p;
3767 	for(p=xfr->allow_notify_list; p; p=p->next) {
3768 		if(addr_matches_master(p, addr, addrlen, fromhost)) {
3769 			return 1;
3770 		}
3771 	}
3772 	return 0;
3773 }
3774 
3775 /** see if the serial means the zone has to be updated, i.e. the serial
3776  * is newer than the zone serial, or we have no zone */
3777 static int
3778 xfr_serial_means_update(struct auth_xfer* xfr, uint32_t serial)
3779 {
3780 	if(!xfr->have_zone)
3781 		return 1; /* no zone, anything is better */
3782 	if(xfr->zone_expired)
3783 		return 1; /* expired, the sent serial is better than expired
3784 			data */
3785 	if(compare_serial(xfr->serial, serial) < 0)
3786 		return 1; /* our serial is smaller than the sent serial,
3787 			the data is newer, fetch it */
3788 	return 0;
3789 }
3790 
3791 /** note notify serial, updates the notify information in the xfr struct */
3792 static void
3793 xfr_note_notify_serial(struct auth_xfer* xfr, int has_serial, uint32_t serial)
3794 {
3795 	if(xfr->notify_received && xfr->notify_has_serial && has_serial) {
3796 		/* see if this serial is newer */
3797 		if(compare_serial(xfr->notify_serial, serial) < 0)
3798 			xfr->notify_serial = serial;
3799 	} else if(xfr->notify_received && xfr->notify_has_serial &&
3800 		!has_serial) {
3801 		/* remove serial, we have notify without serial */
3802 		xfr->notify_has_serial = 0;
3803 		xfr->notify_serial = 0;
3804 	} else if(xfr->notify_received && !xfr->notify_has_serial) {
3805 		/* we already have notify without serial, keep it
3806 		 * that way; no serial check when current operation
3807 		 * is done */
3808 	} else {
3809 		xfr->notify_received = 1;
3810 		xfr->notify_has_serial = has_serial;
3811 		xfr->notify_serial = serial;
3812 	}
3813 }
3814 
3815 /** process a notify serial, start new probe or note serial. xfr is locked */
3816 static void
3817 xfr_process_notify(struct auth_xfer* xfr, struct module_env* env,
3818 	int has_serial, uint32_t serial, struct auth_master* fromhost)
3819 {
3820 	/* if the serial of notify is older than we have, don't fetch
3821 	 * a zone, we already have it */
3822 	if(has_serial && !xfr_serial_means_update(xfr, serial)) {
3823 		lock_basic_unlock(&xfr->lock);
3824 		return;
3825 	}
3826 	/* start new probe with this addr src, or note serial */
3827 	if(!xfr_start_probe(xfr, env, fromhost)) {
3828 		/* not started because already in progress, note the serial */
3829 		xfr_note_notify_serial(xfr, has_serial, serial);
3830 		lock_basic_unlock(&xfr->lock);
3831 	}
3832 	/* successful end of start_probe unlocked xfr->lock */
3833 }
3834 
3835 int auth_zones_notify(struct auth_zones* az, struct module_env* env,
3836 	uint8_t* nm, size_t nmlen, uint16_t dclass,
3837 	struct sockaddr_storage* addr, socklen_t addrlen, int has_serial,
3838 	uint32_t serial, int* refused)
3839 {
3840 	struct auth_xfer* xfr;
3841 	struct auth_master* fromhost = NULL;
3842 	/* see which zone this is */
3843 	lock_rw_rdlock(&az->lock);
3844 	xfr = auth_xfer_find(az, nm, nmlen, dclass);
3845 	if(!xfr) {
3846 		lock_rw_unlock(&az->lock);
3847 		/* no such zone, refuse the notify */
3848 		*refused = 1;
3849 		return 0;
3850 	}
3851 	lock_basic_lock(&xfr->lock);
3852 	lock_rw_unlock(&az->lock);
3853 
3854 	/* check access list for notifies */
3855 	if(!az_xfr_allowed_notify(xfr, addr, addrlen, &fromhost)) {
3856 		lock_basic_unlock(&xfr->lock);
3857 		/* notify not allowed, refuse the notify */
3858 		*refused = 1;
3859 		return 0;
3860 	}
3861 
3862 	/* process the notify */
3863 	xfr_process_notify(xfr, env, has_serial, serial, fromhost);
3864 	return 1;
3865 }
3866 
3867 int auth_zones_startprobesequence(struct auth_zones* az,
3868 	struct module_env* env, uint8_t* nm, size_t nmlen, uint16_t dclass)
3869 {
3870 	struct auth_xfer* xfr;
3871 	lock_rw_rdlock(&az->lock);
3872 	xfr = auth_xfer_find(az, nm, nmlen, dclass);
3873 	if(!xfr) {
3874 		lock_rw_unlock(&az->lock);
3875 		return 0;
3876 	}
3877 	lock_basic_lock(&xfr->lock);
3878 	lock_rw_unlock(&az->lock);
3879 
3880 	xfr_process_notify(xfr, env, 0, 0, NULL);
3881 	return 1;
3882 }
3883 
3884 /** set a zone expired */
3885 static void
3886 auth_xfer_set_expired(struct auth_xfer* xfr, struct module_env* env,
3887 	int expired)
3888 {
3889 	struct auth_zone* z;
3890 
3891 	/* expire xfr */
3892 	lock_basic_lock(&xfr->lock);
3893 	xfr->zone_expired = expired;
3894 	lock_basic_unlock(&xfr->lock);
3895 
3896 	/* find auth_zone */
3897 	lock_rw_rdlock(&env->auth_zones->lock);
3898 	z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
3899 		xfr->dclass);
3900 	if(!z) {
3901 		lock_rw_unlock(&env->auth_zones->lock);
3902 		return;
3903 	}
3904 	lock_rw_wrlock(&z->lock);
3905 	lock_rw_unlock(&env->auth_zones->lock);
3906 
3907 	/* expire auth_zone */
3908 	z->zone_expired = expired;
3909 	lock_rw_unlock(&z->lock);
3910 }
3911 
3912 /** find master (from notify or probe) in list of masters */
3913 static struct auth_master*
3914 find_master_by_host(struct auth_master* list, char* host)
3915 {
3916 	struct auth_master* p;
3917 	for(p=list; p; p=p->next) {
3918 		if(strcmp(p->host, host) == 0)
3919 			return p;
3920 	}
3921 	return NULL;
3922 }
3923 
3924 /** delete the looked up auth_addrs for all the masters in the list */
3925 static void
3926 xfr_masterlist_free_addrs(struct auth_master* list)
3927 {
3928 	struct auth_master* m;
3929 	for(m=list; m; m=m->next) {
3930 		if(m->list) {
3931 			auth_free_master_addrs(m->list);
3932 			m->list = NULL;
3933 		}
3934 	}
3935 }
3936 
3937 /** copy a list of auth_addrs */
3938 static struct auth_addr*
3939 auth_addr_list_copy(struct auth_addr* source)
3940 {
3941 	struct auth_addr* list = NULL, *last = NULL;
3942 	struct auth_addr* p;
3943 	for(p=source; p; p=p->next) {
3944 		struct auth_addr* a = (struct auth_addr*)memdup(p, sizeof(*p));
3945 		if(!a) {
3946 			log_err("malloc failure");
3947 			auth_free_master_addrs(list);
3948 			return NULL;
3949 		}
3950 		a->next = NULL;
3951 		if(last) last->next = a;
3952 		if(!list) list = a;
3953 		last = a;
3954 	}
3955 	return list;
3956 }
3957 
3958 /** copy a master to a new structure, NULL on alloc failure */
3959 static struct auth_master*
3960 auth_master_copy(struct auth_master* o)
3961 {
3962 	struct auth_master* m;
3963 	if(!o) return NULL;
3964 	m = (struct auth_master*)memdup(o, sizeof(*o));
3965 	if(!m) {
3966 		log_err("malloc failure");
3967 		return NULL;
3968 	}
3969 	m->next = NULL;
3970 	if(m->host) {
3971 		m->host = strdup(m->host);
3972 		if(!m->host) {
3973 			free(m);
3974 			log_err("malloc failure");
3975 			return NULL;
3976 		}
3977 	}
3978 	if(m->file) {
3979 		m->file = strdup(m->file);
3980 		if(!m->file) {
3981 			free(m->host);
3982 			free(m);
3983 			log_err("malloc failure");
3984 			return NULL;
3985 		}
3986 	}
3987 	if(m->list) {
3988 		m->list = auth_addr_list_copy(m->list);
3989 		if(!m->list) {
3990 			free(m->file);
3991 			free(m->host);
3992 			free(m);
3993 			return NULL;
3994 		}
3995 	}
3996 	return m;
3997 }
3998 
3999 /** copy the master addresses from the task_probe lookups to the allow_notify
4000  * list of masters */
4001 static void
4002 probe_copy_masters_for_allow_notify(struct auth_xfer* xfr)
4003 {
4004 	struct auth_master* list = NULL, *last = NULL;
4005 	struct auth_master* p;
4006 	/* build up new list with copies */
4007 	for(p = xfr->task_transfer->masters; p; p=p->next) {
4008 		struct auth_master* m = auth_master_copy(p);
4009 		if(!m) {
4010 			auth_free_masters(list);
4011 			/* failed because of malloc failure, use old list */
4012 			return;
4013 		}
4014 		m->next = NULL;
4015 		if(last) last->next = m;
4016 		if(!list) list = m;
4017 		last = m;
4018 	}
4019 	/* success, replace list */
4020 	auth_free_masters(xfr->allow_notify_list);
4021 	xfr->allow_notify_list = list;
4022 }
4023 
4024 /** start the lookups for task_transfer */
4025 static void
4026 xfr_transfer_start_lookups(struct auth_xfer* xfr)
4027 {
4028 	/* delete all the looked up addresses in the list */
4029 	xfr->task_transfer->scan_addr = NULL;
4030 	xfr_masterlist_free_addrs(xfr->task_transfer->masters);
4031 
4032 	/* start lookup at the first master */
4033 	xfr->task_transfer->lookup_target = xfr->task_transfer->masters;
4034 	xfr->task_transfer->lookup_aaaa = 0;
4035 }
4036 
4037 /** move to the next lookup of hostname for task_transfer */
4038 static void
4039 xfr_transfer_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
4040 {
4041 	if(!xfr->task_transfer->lookup_target)
4042 		return; /* already at end of list */
4043 	if(!xfr->task_transfer->lookup_aaaa && env->cfg->do_ip6) {
4044 		/* move to lookup AAAA */
4045 		xfr->task_transfer->lookup_aaaa = 1;
4046 		return;
4047 	}
4048 	xfr->task_transfer->lookup_target =
4049 		xfr->task_transfer->lookup_target->next;
4050 	xfr->task_transfer->lookup_aaaa = 0;
4051 	if(!env->cfg->do_ip4 && xfr->task_transfer->lookup_target!=NULL)
4052 		xfr->task_transfer->lookup_aaaa = 1;
4053 }
4054 
4055 /** start the lookups for task_probe */
4056 static void
4057 xfr_probe_start_lookups(struct auth_xfer* xfr)
4058 {
4059 	/* delete all the looked up addresses in the list */
4060 	xfr->task_probe->scan_addr = NULL;
4061 	xfr_masterlist_free_addrs(xfr->task_probe->masters);
4062 
4063 	/* start lookup at the first master */
4064 	xfr->task_probe->lookup_target = xfr->task_probe->masters;
4065 	xfr->task_probe->lookup_aaaa = 0;
4066 }
4067 
4068 /** move to the next lookup of hostname for task_probe */
4069 static void
4070 xfr_probe_move_to_next_lookup(struct auth_xfer* xfr, struct module_env* env)
4071 {
4072 	if(!xfr->task_probe->lookup_target)
4073 		return; /* already at end of list */
4074 	if(!xfr->task_probe->lookup_aaaa && env->cfg->do_ip6) {
4075 		/* move to lookup AAAA */
4076 		xfr->task_probe->lookup_aaaa = 1;
4077 		return;
4078 	}
4079 	xfr->task_probe->lookup_target = xfr->task_probe->lookup_target->next;
4080 	xfr->task_probe->lookup_aaaa = 0;
4081 	if(!env->cfg->do_ip4 && xfr->task_probe->lookup_target!=NULL)
4082 		xfr->task_probe->lookup_aaaa = 1;
4083 }
4084 
4085 /** start the iteration of the task_transfer list of masters */
4086 static void
4087 xfr_transfer_start_list(struct auth_xfer* xfr, struct auth_master* spec)
4088 {
4089 	if(spec) {
4090 		xfr->task_transfer->scan_specific = find_master_by_host(
4091 			xfr->task_transfer->masters, spec->host);
4092 		if(xfr->task_transfer->scan_specific) {
4093 			xfr->task_transfer->scan_target = NULL;
4094 			xfr->task_transfer->scan_addr = NULL;
4095 			if(xfr->task_transfer->scan_specific->list)
4096 				xfr->task_transfer->scan_addr =
4097 					xfr->task_transfer->scan_specific->list;
4098 			return;
4099 		}
4100 	}
4101 	/* no specific (notified) host to scan */
4102 	xfr->task_transfer->scan_specific = NULL;
4103 	xfr->task_transfer->scan_addr = NULL;
4104 	/* pick up first scan target */
4105 	xfr->task_transfer->scan_target = xfr->task_transfer->masters;
4106 	if(xfr->task_transfer->scan_target && xfr->task_transfer->
4107 		scan_target->list)
4108 		xfr->task_transfer->scan_addr =
4109 			xfr->task_transfer->scan_target->list;
4110 }
4111 
4112 /** start the iteration of the task_probe list of masters */
4113 static void
4114 xfr_probe_start_list(struct auth_xfer* xfr, struct auth_master* spec)
4115 {
4116 	if(spec) {
4117 		xfr->task_probe->scan_specific = find_master_by_host(
4118 			xfr->task_probe->masters, spec->host);
4119 		if(xfr->task_probe->scan_specific) {
4120 			xfr->task_probe->scan_target = NULL;
4121 			xfr->task_probe->scan_addr = NULL;
4122 			if(xfr->task_probe->scan_specific->list)
4123 				xfr->task_probe->scan_addr =
4124 					xfr->task_probe->scan_specific->list;
4125 			return;
4126 		}
4127 	}
4128 	/* no specific (notified) host to scan */
4129 	xfr->task_probe->scan_specific = NULL;
4130 	xfr->task_probe->scan_addr = NULL;
4131 	/* pick up first scan target */
4132 	xfr->task_probe->scan_target = xfr->task_probe->masters;
4133 	if(xfr->task_probe->scan_target && xfr->task_probe->scan_target->list)
4134 		xfr->task_probe->scan_addr =
4135 			xfr->task_probe->scan_target->list;
4136 }
4137 
4138 /** pick up the master that is being scanned right now, task_transfer */
4139 static struct auth_master*
4140 xfr_transfer_current_master(struct auth_xfer* xfr)
4141 {
4142 	if(xfr->task_transfer->scan_specific)
4143 		return xfr->task_transfer->scan_specific;
4144 	return xfr->task_transfer->scan_target;
4145 }
4146 
4147 /** pick up the master that is being scanned right now, task_probe */
4148 static struct auth_master*
4149 xfr_probe_current_master(struct auth_xfer* xfr)
4150 {
4151 	if(xfr->task_probe->scan_specific)
4152 		return xfr->task_probe->scan_specific;
4153 	return xfr->task_probe->scan_target;
4154 }
4155 
4156 /** true if at end of list, task_transfer */
4157 static int
4158 xfr_transfer_end_of_list(struct auth_xfer* xfr)
4159 {
4160 	return !xfr->task_transfer->scan_specific &&
4161 		!xfr->task_transfer->scan_target;
4162 }
4163 
4164 /** true if at end of list, task_probe */
4165 static int
4166 xfr_probe_end_of_list(struct auth_xfer* xfr)
4167 {
4168 	return !xfr->task_probe->scan_specific && !xfr->task_probe->scan_target;
4169 }
4170 
4171 /** move to next master in list, task_transfer */
4172 static void
4173 xfr_transfer_nextmaster(struct auth_xfer* xfr)
4174 {
4175 	if(!xfr->task_transfer->scan_specific &&
4176 		!xfr->task_transfer->scan_target)
4177 		return;
4178 	if(xfr->task_transfer->scan_addr) {
4179 		xfr->task_transfer->scan_addr =
4180 			xfr->task_transfer->scan_addr->next;
4181 		if(xfr->task_transfer->scan_addr)
4182 			return;
4183 	}
4184 	if(xfr->task_transfer->scan_specific) {
4185 		xfr->task_transfer->scan_specific = NULL;
4186 		xfr->task_transfer->scan_target = xfr->task_transfer->masters;
4187 		if(xfr->task_transfer->scan_target && xfr->task_transfer->
4188 			scan_target->list)
4189 			xfr->task_transfer->scan_addr =
4190 				xfr->task_transfer->scan_target->list;
4191 		return;
4192 	}
4193 	if(!xfr->task_transfer->scan_target)
4194 		return;
4195 	xfr->task_transfer->scan_target = xfr->task_transfer->scan_target->next;
4196 	if(xfr->task_transfer->scan_target && xfr->task_transfer->
4197 		scan_target->list)
4198 		xfr->task_transfer->scan_addr =
4199 			xfr->task_transfer->scan_target->list;
4200 	return;
4201 }
4202 
4203 /** move to next master in list, task_probe */
4204 static void
4205 xfr_probe_nextmaster(struct auth_xfer* xfr)
4206 {
4207 	if(!xfr->task_probe->scan_specific && !xfr->task_probe->scan_target)
4208 		return;
4209 	if(xfr->task_probe->scan_addr) {
4210 		xfr->task_probe->scan_addr = xfr->task_probe->scan_addr->next;
4211 		if(xfr->task_probe->scan_addr)
4212 			return;
4213 	}
4214 	if(xfr->task_probe->scan_specific) {
4215 		xfr->task_probe->scan_specific = NULL;
4216 		xfr->task_probe->scan_target = xfr->task_probe->masters;
4217 		if(xfr->task_probe->scan_target && xfr->task_probe->
4218 			scan_target->list)
4219 			xfr->task_probe->scan_addr =
4220 				xfr->task_probe->scan_target->list;
4221 		return;
4222 	}
4223 	if(!xfr->task_probe->scan_target)
4224 		return;
4225 	xfr->task_probe->scan_target = xfr->task_probe->scan_target->next;
4226 	if(xfr->task_probe->scan_target && xfr->task_probe->
4227 		scan_target->list)
4228 		xfr->task_probe->scan_addr =
4229 			xfr->task_probe->scan_target->list;
4230 	return;
4231 }
4232 
4233 /** create SOA probe packet for xfr */
4234 static void
4235 xfr_create_soa_probe_packet(struct auth_xfer* xfr, sldns_buffer* buf,
4236 	uint16_t id)
4237 {
4238 	struct query_info qinfo;
4239 
4240 	memset(&qinfo, 0, sizeof(qinfo));
4241 	qinfo.qname = xfr->name;
4242 	qinfo.qname_len = xfr->namelen;
4243 	qinfo.qtype = LDNS_RR_TYPE_SOA;
4244 	qinfo.qclass = xfr->dclass;
4245 	qinfo_query_encode(buf, &qinfo);
4246 	sldns_buffer_write_u16_at(buf, 0, id);
4247 }
4248 
4249 /** create IXFR/AXFR packet for xfr */
4250 static void
4251 xfr_create_ixfr_packet(struct auth_xfer* xfr, sldns_buffer* buf, uint16_t id,
4252 	struct auth_master* master)
4253 {
4254 	struct query_info qinfo;
4255 	uint32_t serial;
4256 	int have_zone;
4257 	have_zone = xfr->have_zone;
4258 	serial = xfr->serial;
4259 
4260 	memset(&qinfo, 0, sizeof(qinfo));
4261 	qinfo.qname = xfr->name;
4262 	qinfo.qname_len = xfr->namelen;
4263 	xfr->task_transfer->got_xfr_serial = 0;
4264 	xfr->task_transfer->rr_scan_num = 0;
4265 	xfr->task_transfer->incoming_xfr_serial = 0;
4266 	xfr->task_transfer->on_ixfr_is_axfr = 0;
4267 	xfr->task_transfer->on_ixfr = 1;
4268 	qinfo.qtype = LDNS_RR_TYPE_IXFR;
4269 	if(!have_zone || xfr->task_transfer->ixfr_fail || !master->ixfr) {
4270 		qinfo.qtype = LDNS_RR_TYPE_AXFR;
4271 		xfr->task_transfer->ixfr_fail = 0;
4272 		xfr->task_transfer->on_ixfr = 0;
4273 	}
4274 
4275 	qinfo.qclass = xfr->dclass;
4276 	qinfo_query_encode(buf, &qinfo);
4277 	sldns_buffer_write_u16_at(buf, 0, id);
4278 
4279 	/* append serial for IXFR */
4280 	if(qinfo.qtype == LDNS_RR_TYPE_IXFR) {
4281 		size_t end = sldns_buffer_limit(buf);
4282 		sldns_buffer_clear(buf);
4283 		sldns_buffer_set_position(buf, end);
4284 		/* auth section count 1 */
4285 		sldns_buffer_write_u16_at(buf, LDNS_NSCOUNT_OFF, 1);
4286 		/* write SOA */
4287 		sldns_buffer_write_u8(buf, 0xC0); /* compressed ptr to qname */
4288 		sldns_buffer_write_u8(buf, 0x0C);
4289 		sldns_buffer_write_u16(buf, LDNS_RR_TYPE_SOA);
4290 		sldns_buffer_write_u16(buf, qinfo.qclass);
4291 		sldns_buffer_write_u32(buf, 0); /* ttl */
4292 		sldns_buffer_write_u16(buf, 22); /* rdata length */
4293 		sldns_buffer_write_u8(buf, 0); /* . */
4294 		sldns_buffer_write_u8(buf, 0); /* . */
4295 		sldns_buffer_write_u32(buf, serial); /* serial */
4296 		sldns_buffer_write_u32(buf, 0); /* refresh */
4297 		sldns_buffer_write_u32(buf, 0); /* retry */
4298 		sldns_buffer_write_u32(buf, 0); /* expire */
4299 		sldns_buffer_write_u32(buf, 0); /* minimum */
4300 		sldns_buffer_flip(buf);
4301 	}
4302 }
4303 
4304 /** check if returned packet is OK */
4305 static int
4306 check_packet_ok(sldns_buffer* pkt, uint16_t qtype, struct auth_xfer* xfr,
4307 	uint32_t* serial)
4308 {
4309 	/* parse to see if packet worked, valid reply */
4310 
4311 	/* check serial number of SOA */
4312 	if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE)
4313 		return 0;
4314 
4315 	/* check ID */
4316 	if(LDNS_ID_WIRE(sldns_buffer_begin(pkt)) != xfr->task_probe->id)
4317 		return 0;
4318 
4319 	/* check flag bits and rcode */
4320 	if(!LDNS_QR_WIRE(sldns_buffer_begin(pkt)))
4321 		return 0;
4322 	if(LDNS_OPCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_PACKET_QUERY)
4323 		return 0;
4324 	if(LDNS_RCODE_WIRE(sldns_buffer_begin(pkt)) != LDNS_RCODE_NOERROR)
4325 		return 0;
4326 
4327 	/* check qname */
4328 	if(LDNS_QDCOUNT(sldns_buffer_begin(pkt)) != 1)
4329 		return 0;
4330 	sldns_buffer_skip(pkt, LDNS_HEADER_SIZE);
4331 	if(sldns_buffer_remaining(pkt) < xfr->namelen)
4332 		return 0;
4333 	if(query_dname_compare(sldns_buffer_current(pkt), xfr->name) != 0)
4334 		return 0;
4335 	sldns_buffer_skip(pkt, (ssize_t)xfr->namelen);
4336 
4337 	/* check qtype, qclass */
4338 	if(sldns_buffer_remaining(pkt) < 4)
4339 		return 0;
4340 	if(sldns_buffer_read_u16(pkt) != qtype)
4341 		return 0;
4342 	if(sldns_buffer_read_u16(pkt) != xfr->dclass)
4343 		return 0;
4344 
4345 	if(serial) {
4346 		uint16_t rdlen;
4347 		/* read serial number, from answer section SOA */
4348 		if(LDNS_ANCOUNT(sldns_buffer_begin(pkt)) == 0)
4349 			return 0;
4350 		/* read from first record SOA record */
4351 		if(sldns_buffer_remaining(pkt) < 1)
4352 			return 0;
4353 		if(dname_pkt_compare(pkt, sldns_buffer_current(pkt),
4354 			xfr->name) != 0)
4355 			return 0;
4356 		if(!pkt_dname_len(pkt))
4357 			return 0;
4358 		/* type, class, ttl, rdatalen */
4359 		if(sldns_buffer_remaining(pkt) < 4+4+2)
4360 			return 0;
4361 		if(sldns_buffer_read_u16(pkt) != qtype)
4362 			return 0;
4363 		if(sldns_buffer_read_u16(pkt) != xfr->dclass)
4364 			return 0;
4365 		sldns_buffer_skip(pkt, 4); /* ttl */
4366 		rdlen = sldns_buffer_read_u16(pkt);
4367 		if(sldns_buffer_remaining(pkt) < rdlen)
4368 			return 0;
4369 		if(sldns_buffer_remaining(pkt) < 1)
4370 			return 0;
4371 		if(!pkt_dname_len(pkt)) /* soa name */
4372 			return 0;
4373 		if(sldns_buffer_remaining(pkt) < 1)
4374 			return 0;
4375 		if(!pkt_dname_len(pkt)) /* soa name */
4376 			return 0;
4377 		if(sldns_buffer_remaining(pkt) < 20)
4378 			return 0;
4379 		*serial = sldns_buffer_read_u32(pkt);
4380 	}
4381 	return 1;
4382 }
4383 
4384 /** read one line from chunks into buffer at current position */
4385 static int
4386 chunkline_get_line(struct auth_chunk** chunk, size_t* chunk_pos,
4387 	sldns_buffer* buf)
4388 {
4389 	int readsome = 0;
4390 	while(*chunk) {
4391 		/* more text in this chunk? */
4392 		if(*chunk_pos < (*chunk)->len) {
4393 			readsome = 1;
4394 			while(*chunk_pos < (*chunk)->len) {
4395 				char c = (char)((*chunk)->data[*chunk_pos]);
4396 				(*chunk_pos)++;
4397 				if(sldns_buffer_remaining(buf) < 2) {
4398 					/* buffer too short */
4399 					verbose(VERB_ALGO, "http chunkline, "
4400 						"line too long");
4401 					return 0;
4402 				}
4403 				sldns_buffer_write_u8(buf, (uint8_t)c);
4404 				if(c == '\n') {
4405 					/* we are done */
4406 					return 1;
4407 				}
4408 			}
4409 		}
4410 		/* move to next chunk */
4411 		*chunk = (*chunk)->next;
4412 		*chunk_pos = 0;
4413 	}
4414 	/* no more text */
4415 	if(readsome) return 1;
4416 	return 0;
4417 }
4418 
4419 /** count number of open and closed parenthesis in a chunkline */
4420 static int
4421 chunkline_count_parens(sldns_buffer* buf, size_t start)
4422 {
4423 	size_t end = sldns_buffer_position(buf);
4424 	size_t i;
4425 	int count = 0;
4426 	int squote = 0, dquote = 0;
4427 	for(i=start; i<end; i++) {
4428 		char c = (char)sldns_buffer_read_u8_at(buf, i);
4429 		if(squote && c != '\'') continue;
4430 		if(dquote && c != '"') continue;
4431 		if(c == '"')
4432 			dquote = !dquote; /* skip quoted part */
4433 		else if(c == '\'')
4434 			squote = !squote; /* skip quoted part */
4435 		else if(c == '(')
4436 			count ++;
4437 		else if(c == ')')
4438 			count --;
4439 		else if(c == ';') {
4440 			/* rest is a comment */
4441 			return count;
4442 		}
4443 	}
4444 	return count;
4445 }
4446 
4447 /** remove trailing ;... comment from a line in the chunkline buffer */
4448 static void
4449 chunkline_remove_trailcomment(sldns_buffer* buf, size_t start)
4450 {
4451 	size_t end = sldns_buffer_position(buf);
4452 	size_t i;
4453 	int squote = 0, dquote = 0;
4454 	for(i=start; i<end; i++) {
4455 		char c = (char)sldns_buffer_read_u8_at(buf, i);
4456 		if(squote && c != '\'') continue;
4457 		if(dquote && c != '"') continue;
4458 		if(c == '"')
4459 			dquote = !dquote; /* skip quoted part */
4460 		else if(c == '\'')
4461 			squote = !squote; /* skip quoted part */
4462 		else if(c == ';') {
4463 			/* rest is a comment */
4464 			sldns_buffer_set_position(buf, i);
4465 			return;
4466 		}
4467 	}
4468 	/* nothing to remove */
4469 }
4470 
4471 /** see if a chunkline is a comment line (or empty line) */
4472 static int
4473 chunkline_is_comment_line_or_empty(sldns_buffer* buf)
4474 {
4475 	size_t i, end = sldns_buffer_limit(buf);
4476 	for(i=0; i<end; i++) {
4477 		char c = (char)sldns_buffer_read_u8_at(buf, i);
4478 		if(c == ';')
4479 			return 1; /* comment */
4480 		else if(c != ' ' && c != '\t' && c != '\r' && c != '\n')
4481 			return 0; /* not a comment */
4482 	}
4483 	return 1; /* empty */
4484 }
4485 
4486 /** find a line with ( ) collated */
4487 static int
4488 chunkline_get_line_collated(struct auth_chunk** chunk, size_t* chunk_pos,
4489 	sldns_buffer* buf)
4490 {
4491 	size_t pos;
4492 	int parens = 0;
4493 	sldns_buffer_clear(buf);
4494 	pos = sldns_buffer_position(buf);
4495 	if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4496 		if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4497 			sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4498 		else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4499 		sldns_buffer_flip(buf);
4500 		return 0;
4501 	}
4502 	parens += chunkline_count_parens(buf, pos);
4503 	while(parens > 0) {
4504 		chunkline_remove_trailcomment(buf, pos);
4505 		pos = sldns_buffer_position(buf);
4506 		if(!chunkline_get_line(chunk, chunk_pos, buf)) {
4507 			if(sldns_buffer_position(buf) < sldns_buffer_limit(buf))
4508 				sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4509 			else sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf)-1, 0);
4510 			sldns_buffer_flip(buf);
4511 			return 0;
4512 		}
4513 		parens += chunkline_count_parens(buf, pos);
4514 	}
4515 
4516 	if(sldns_buffer_remaining(buf) < 1) {
4517 		verbose(VERB_ALGO, "http chunkline: "
4518 			"line too long");
4519 		return 0;
4520 	}
4521 	sldns_buffer_write_u8_at(buf, sldns_buffer_position(buf), 0);
4522 	sldns_buffer_flip(buf);
4523 	return 1;
4524 }
4525 
4526 /** process $ORIGIN for http, 0 nothing, 1 done, 2 error */
4527 static int
4528 http_parse_origin(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4529 {
4530 	char* line = (char*)sldns_buffer_begin(buf);
4531 	if(strncmp(line, "$ORIGIN", 7) == 0 &&
4532 		isspace((unsigned char)line[7])) {
4533 		int s;
4534 		pstate->origin_len = sizeof(pstate->origin);
4535 		s = sldns_str2wire_dname_buf(sldns_strip_ws(line+8),
4536 			pstate->origin, &pstate->origin_len);
4537 		if(s) {
4538 			pstate->origin_len = 0;
4539 			return 2;
4540 		}
4541 		return 1;
4542 	}
4543 	return 0;
4544 }
4545 
4546 /** process $TTL for http, 0 nothing, 1 done, 2 error */
4547 static int
4548 http_parse_ttl(sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4549 {
4550 	char* line = (char*)sldns_buffer_begin(buf);
4551 	if(strncmp(line, "$TTL", 4) == 0 &&
4552 		isspace((unsigned char)line[4])) {
4553 		const char* end = NULL;
4554 		int overflow = 0;
4555 		pstate->default_ttl = sldns_str2period(
4556 			sldns_strip_ws(line+5), &end, &overflow);
4557 		if(overflow) {
4558 			return 2;
4559 		}
4560 		return 1;
4561 	}
4562 	return 0;
4563 }
4564 
4565 /** find noncomment RR line in chunks, collates lines if ( ) format */
4566 static int
4567 chunkline_non_comment_RR(struct auth_chunk** chunk, size_t* chunk_pos,
4568 	sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4569 {
4570 	int ret;
4571 	while(chunkline_get_line_collated(chunk, chunk_pos, buf)) {
4572 		if(chunkline_is_comment_line_or_empty(buf)) {
4573 			/* a comment, go to next line */
4574 			continue;
4575 		}
4576 		if((ret=http_parse_origin(buf, pstate))!=0) {
4577 			if(ret == 2)
4578 				return 0;
4579 			continue; /* $ORIGIN has been handled */
4580 		}
4581 		if((ret=http_parse_ttl(buf, pstate))!=0) {
4582 			if(ret == 2)
4583 				return 0;
4584 			continue; /* $TTL has been handled */
4585 		}
4586 		return 1;
4587 	}
4588 	/* no noncomments, fail */
4589 	return 0;
4590 }
4591 
4592 /** check syntax of chunklist zonefile, parse first RR, return false on
4593  * failure and return a string in the scratch buffer (first RR string)
4594  * on failure. */
4595 static int
4596 http_zonefile_syntax_check(struct auth_xfer* xfr, sldns_buffer* buf)
4597 {
4598 	uint8_t rr[LDNS_RR_BUF_SIZE];
4599 	size_t rr_len, dname_len = 0;
4600 	struct sldns_file_parse_state pstate;
4601 	struct auth_chunk* chunk;
4602 	size_t chunk_pos;
4603 	int e;
4604 	memset(&pstate, 0, sizeof(pstate));
4605 	pstate.default_ttl = 3600;
4606 	if(xfr->namelen < sizeof(pstate.origin)) {
4607 		pstate.origin_len = xfr->namelen;
4608 		memmove(pstate.origin, xfr->name, xfr->namelen);
4609 	}
4610 	chunk = xfr->task_transfer->chunks_first;
4611 	chunk_pos = 0;
4612 	if(!chunkline_non_comment_RR(&chunk, &chunk_pos, buf, &pstate)) {
4613 		return 0;
4614 	}
4615 	rr_len = sizeof(rr);
4616 	e=sldns_str2wire_rr_buf((char*)sldns_buffer_begin(buf), rr, &rr_len,
4617 		&dname_len, pstate.default_ttl,
4618 		pstate.origin_len?pstate.origin:NULL, pstate.origin_len,
4619 		pstate.prev_rr_len?pstate.prev_rr:NULL, pstate.prev_rr_len);
4620 	if(e != 0) {
4621 		log_err("parse failure on first RR[%d]: %s",
4622 			LDNS_WIREPARSE_OFFSET(e),
4623 			sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)));
4624 		return 0;
4625 	}
4626 	/* check that class is correct */
4627 	if(sldns_wirerr_get_class(rr, rr_len, dname_len) != xfr->dclass) {
4628 		log_err("parse failure: first record in downloaded zonefile "
4629 			"from wrong RR class");
4630 		return 0;
4631 	}
4632 	return 1;
4633 }
4634 
4635 /** sum sizes of chunklist */
4636 static size_t
4637 chunklist_sum(struct auth_chunk* list)
4638 {
4639 	struct auth_chunk* p;
4640 	size_t s = 0;
4641 	for(p=list; p; p=p->next) {
4642 		s += p->len;
4643 	}
4644 	return s;
4645 }
4646 
4647 /** remove newlines from collated line */
4648 static void
4649 chunkline_newline_removal(sldns_buffer* buf)
4650 {
4651 	size_t i, end=sldns_buffer_limit(buf);
4652 	for(i=0; i<end; i++) {
4653 		char c = (char)sldns_buffer_read_u8_at(buf, i);
4654 		if(c == '\n' && i==end-1) {
4655 			sldns_buffer_write_u8_at(buf, i, 0);
4656 			sldns_buffer_set_limit(buf, end-1);
4657 			return;
4658 		}
4659 		if(c == '\n')
4660 			sldns_buffer_write_u8_at(buf, i, (uint8_t)' ');
4661 	}
4662 }
4663 
4664 /** for http download, parse and add RR to zone */
4665 static int
4666 http_parse_add_rr(struct auth_xfer* xfr, struct auth_zone* z,
4667 	sldns_buffer* buf, struct sldns_file_parse_state* pstate)
4668 {
4669 	uint8_t rr[LDNS_RR_BUF_SIZE];
4670 	size_t rr_len, dname_len = 0;
4671 	int e;
4672 	char* line = (char*)sldns_buffer_begin(buf);
4673 	rr_len = sizeof(rr);
4674 	e = sldns_str2wire_rr_buf(line, rr, &rr_len, &dname_len,
4675 		pstate->default_ttl,
4676 		pstate->origin_len?pstate->origin:NULL, pstate->origin_len,
4677 		pstate->prev_rr_len?pstate->prev_rr:NULL, pstate->prev_rr_len);
4678 	if(e != 0) {
4679 		log_err("%s/%s parse failure RR[%d]: %s in '%s'",
4680 			xfr->task_transfer->master->host,
4681 			xfr->task_transfer->master->file,
4682 			LDNS_WIREPARSE_OFFSET(e),
4683 			sldns_get_errorstr_parse(LDNS_WIREPARSE_ERROR(e)),
4684 			line);
4685 		return 0;
4686 	}
4687 	if(rr_len == 0)
4688 		return 1; /* empty line or so */
4689 
4690 	/* set prev */
4691 	if(dname_len < sizeof(pstate->prev_rr)) {
4692 		memmove(pstate->prev_rr, rr, dname_len);
4693 		pstate->prev_rr_len = dname_len;
4694 	}
4695 
4696 	return az_insert_rr(z, rr, rr_len, dname_len, NULL);
4697 }
4698 
4699 /** RR list iterator, returns RRs from answer section one by one from the
4700  * dns packets in the chunklist */
4701 static void
4702 chunk_rrlist_start(struct auth_xfer* xfr, struct auth_chunk** rr_chunk,
4703 	int* rr_num, size_t* rr_pos)
4704 {
4705 	*rr_chunk = xfr->task_transfer->chunks_first;
4706 	*rr_num = 0;
4707 	*rr_pos = 0;
4708 }
4709 
4710 /** RR list iterator, see if we are at the end of the list */
4711 static int
4712 chunk_rrlist_end(struct auth_chunk* rr_chunk, int rr_num)
4713 {
4714 	while(rr_chunk) {
4715 		if(rr_chunk->len < LDNS_HEADER_SIZE)
4716 			return 1;
4717 		if(rr_num < (int)LDNS_ANCOUNT(rr_chunk->data))
4718 			return 0;
4719 		/* no more RRs in this chunk */
4720 		/* continue with next chunk, see if it has RRs */
4721 		rr_chunk = rr_chunk->next;
4722 		rr_num = 0;
4723 	}
4724 	return 1;
4725 }
4726 
4727 /** RR list iterator, move to next RR */
4728 static void
4729 chunk_rrlist_gonext(struct auth_chunk** rr_chunk, int* rr_num,
4730 	size_t* rr_pos, size_t rr_nextpos)
4731 {
4732 	/* already at end of chunks? */
4733 	if(!*rr_chunk)
4734 		return;
4735 	/* move within this chunk */
4736 	if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4737 		(*rr_num)+1 < (int)LDNS_ANCOUNT((*rr_chunk)->data)) {
4738 		(*rr_num) += 1;
4739 		*rr_pos = rr_nextpos;
4740 		return;
4741 	}
4742 	/* no more RRs in this chunk */
4743 	/* continue with next chunk, see if it has RRs */
4744 	if(*rr_chunk)
4745 		*rr_chunk = (*rr_chunk)->next;
4746 	while(*rr_chunk) {
4747 		*rr_num = 0;
4748 		*rr_pos = 0;
4749 		if((*rr_chunk)->len >= LDNS_HEADER_SIZE &&
4750 			LDNS_ANCOUNT((*rr_chunk)->data) > 0) {
4751 			return;
4752 		}
4753 		*rr_chunk = (*rr_chunk)->next;
4754 	}
4755 }
4756 
4757 /** RR iterator, get current RR information, false on parse error */
4758 static int
4759 chunk_rrlist_get_current(struct auth_chunk* rr_chunk, int rr_num,
4760 	size_t rr_pos, uint8_t** rr_dname, uint16_t* rr_type,
4761 	uint16_t* rr_class, uint32_t* rr_ttl, uint16_t* rr_rdlen,
4762 	uint8_t** rr_rdata, size_t* rr_nextpos)
4763 {
4764 	sldns_buffer pkt;
4765 	/* integrity checks on position */
4766 	if(!rr_chunk) return 0;
4767 	if(rr_chunk->len < LDNS_HEADER_SIZE) return 0;
4768 	if(rr_num >= (int)LDNS_ANCOUNT(rr_chunk->data)) return 0;
4769 	if(rr_pos >= rr_chunk->len) return 0;
4770 
4771 	/* fetch rr information */
4772 	sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4773 	if(rr_pos == 0) {
4774 		size_t i;
4775 		/* skip question section */
4776 		sldns_buffer_set_position(&pkt, LDNS_HEADER_SIZE);
4777 		for(i=0; i<LDNS_QDCOUNT(rr_chunk->data); i++) {
4778 			if(pkt_dname_len(&pkt) == 0) return 0;
4779 			if(sldns_buffer_remaining(&pkt) < 4) return 0;
4780 			sldns_buffer_skip(&pkt, 4); /* type and class */
4781 		}
4782 	} else	{
4783 		sldns_buffer_set_position(&pkt, rr_pos);
4784 	}
4785 	*rr_dname = sldns_buffer_current(&pkt);
4786 	if(pkt_dname_len(&pkt) == 0) return 0;
4787 	if(sldns_buffer_remaining(&pkt) < 10) return 0;
4788 	*rr_type = sldns_buffer_read_u16(&pkt);
4789 	*rr_class = sldns_buffer_read_u16(&pkt);
4790 	*rr_ttl = sldns_buffer_read_u32(&pkt);
4791 	*rr_rdlen = sldns_buffer_read_u16(&pkt);
4792 	if(sldns_buffer_remaining(&pkt) < (*rr_rdlen)) return 0;
4793 	*rr_rdata = sldns_buffer_current(&pkt);
4794 	sldns_buffer_skip(&pkt, (ssize_t)(*rr_rdlen));
4795 	*rr_nextpos = sldns_buffer_position(&pkt);
4796 	return 1;
4797 }
4798 
4799 /** print log message where we are in parsing the zone transfer */
4800 static void
4801 log_rrlist_position(const char* label, struct auth_chunk* rr_chunk,
4802 	uint8_t* rr_dname, uint16_t rr_type, size_t rr_counter)
4803 {
4804 	sldns_buffer pkt;
4805 	size_t dlen;
4806 	uint8_t buf[256];
4807 	char str[256];
4808 	char typestr[32];
4809 	sldns_buffer_init_frm_data(&pkt, rr_chunk->data, rr_chunk->len);
4810 	sldns_buffer_set_position(&pkt, (size_t)(rr_dname -
4811 		sldns_buffer_begin(&pkt)));
4812 	if((dlen=pkt_dname_len(&pkt)) == 0) return;
4813 	if(dlen >= sizeof(buf)) return;
4814 	dname_pkt_copy(&pkt, buf, rr_dname);
4815 	dname_str(buf, str);
4816 	(void)sldns_wire2str_type_buf(rr_type, typestr, sizeof(typestr));
4817 	verbose(VERB_ALGO, "%s at[%d] %s %s", label, (int)rr_counter,
4818 		str, typestr);
4819 }
4820 
4821 /** check that start serial is OK for ixfr. we are at rr_counter == 0,
4822  * and we are going to check rr_counter == 1 (has to be type SOA) serial */
4823 static int
4824 ixfr_start_serial(struct auth_chunk* rr_chunk, int rr_num, size_t rr_pos,
4825 	uint8_t* rr_dname, uint16_t rr_type, uint16_t rr_class,
4826 	uint32_t rr_ttl, uint16_t rr_rdlen, uint8_t* rr_rdata,
4827 	size_t rr_nextpos, uint32_t transfer_serial, uint32_t xfr_serial)
4828 {
4829 	uint32_t startserial;
4830 	/* move forward on RR */
4831 	chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
4832 	if(chunk_rrlist_end(rr_chunk, rr_num)) {
4833 		/* no second SOA */
4834 		verbose(VERB_OPS, "IXFR has no second SOA record");
4835 		return 0;
4836 	}
4837 	if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4838 		&rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4839 		&rr_rdata, &rr_nextpos)) {
4840 		verbose(VERB_OPS, "IXFR cannot parse second SOA record");
4841 		/* failed to parse RR */
4842 		return 0;
4843 	}
4844 	if(rr_type != LDNS_RR_TYPE_SOA) {
4845 		verbose(VERB_OPS, "IXFR second record is not type SOA");
4846 		return 0;
4847 	}
4848 	if(rr_rdlen < 22) {
4849 		verbose(VERB_OPS, "IXFR, second SOA has short rdlength");
4850 		return 0; /* bad SOA rdlen */
4851 	}
4852 	startserial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4853 	if(startserial == transfer_serial) {
4854 		/* empty AXFR, not an IXFR */
4855 		verbose(VERB_OPS, "IXFR second serial same as first");
4856 		return 0;
4857 	}
4858 	if(startserial != xfr_serial) {
4859 		/* wrong start serial, it does not match the serial in
4860 		 * memory */
4861 		verbose(VERB_OPS, "IXFR is from serial %u to %u but %u "
4862 			"in memory, rejecting the zone transfer",
4863 			(unsigned)startserial, (unsigned)transfer_serial,
4864 			(unsigned)xfr_serial);
4865 		return 0;
4866 	}
4867 	/* everything OK in second SOA serial */
4868 	return 1;
4869 }
4870 
4871 /** apply IXFR to zone in memory. z is locked. false on failure(mallocfail) */
4872 static int
4873 apply_ixfr(struct auth_xfer* xfr, struct auth_zone* z,
4874 	struct sldns_buffer* scratch_buffer)
4875 {
4876 	struct auth_chunk* rr_chunk;
4877 	int rr_num;
4878 	size_t rr_pos;
4879 	uint8_t* rr_dname, *rr_rdata;
4880 	uint16_t rr_type, rr_class, rr_rdlen;
4881 	uint32_t rr_ttl;
4882 	size_t rr_nextpos;
4883 	int have_transfer_serial = 0;
4884 	uint32_t transfer_serial = 0;
4885 	size_t rr_counter = 0;
4886 	int delmode = 0;
4887 	int softfail = 0;
4888 
4889 	/* start RR iterator over chunklist of packets */
4890 	chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
4891 	while(!chunk_rrlist_end(rr_chunk, rr_num)) {
4892 		if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
4893 			&rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
4894 			&rr_rdata, &rr_nextpos)) {
4895 			/* failed to parse RR */
4896 			return 0;
4897 		}
4898 		if(verbosity>=7) log_rrlist_position("apply ixfr",
4899 			rr_chunk, rr_dname, rr_type, rr_counter);
4900 		/* twiddle add/del mode and check for start and end */
4901 		if(rr_counter == 0 && rr_type != LDNS_RR_TYPE_SOA)
4902 			return 0;
4903 		if(rr_counter == 1 && rr_type != LDNS_RR_TYPE_SOA) {
4904 			/* this is an AXFR returned from the IXFR master */
4905 			/* but that should already have been detected, by
4906 			 * on_ixfr_is_axfr */
4907 			return 0;
4908 		}
4909 		if(rr_type == LDNS_RR_TYPE_SOA) {
4910 			uint32_t serial;
4911 			if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
4912 			serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
4913 			if(have_transfer_serial == 0) {
4914 				have_transfer_serial = 1;
4915 				transfer_serial = serial;
4916 				delmode = 1; /* gets negated below */
4917 				/* check second RR before going any further */
4918 				if(!ixfr_start_serial(rr_chunk, rr_num, rr_pos,
4919 					rr_dname, rr_type, rr_class, rr_ttl,
4920 					rr_rdlen, rr_rdata, rr_nextpos,
4921 					transfer_serial, xfr->serial)) {
4922 					return 0;
4923 				}
4924 			} else if(transfer_serial == serial) {
4925 				have_transfer_serial++;
4926 				if(rr_counter == 1) {
4927 					/* empty AXFR, with SOA; SOA; */
4928 					/* should have been detected by
4929 					 * on_ixfr_is_axfr */
4930 					return 0;
4931 				}
4932 				if(have_transfer_serial == 3) {
4933 					/* see serial three times for end */
4934 					/* eg. IXFR:
4935 					 *  SOA 3 start
4936 					 *  SOA 1 second RR, followed by del
4937 					 *  SOA 2 followed by add
4938 					 *  SOA 2 followed by del
4939 					 *  SOA 3 followed by add
4940 					 *  SOA 3 end */
4941 					/* ended by SOA record */
4942 					xfr->serial = transfer_serial;
4943 					break;
4944 				}
4945 			}
4946 			/* twiddle add/del mode */
4947 			/* switch from delete part to add part and back again
4948 			 * just before the soa, it gets deleted and added too
4949 			 * this means we switch to delete mode for the final
4950 			 * SOA(so skip that one) */
4951 			delmode = !delmode;
4952 		}
4953 		/* process this RR */
4954 		/* if the RR is deleted twice or added twice, then we
4955 		 * softfail, and continue with the rest of the IXFR, so
4956 		 * that we serve something fairly nice during the refetch */
4957 		if(verbosity>=7) log_rrlist_position((delmode?"del":"add"),
4958 			rr_chunk, rr_dname, rr_type, rr_counter);
4959 		if(delmode) {
4960 			/* delete this RR */
4961 			int nonexist = 0;
4962 			if(!az_remove_rr_decompress(z, rr_chunk->data,
4963 				rr_chunk->len, scratch_buffer, rr_dname,
4964 				rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4965 				&nonexist)) {
4966 				/* failed, malloc error or so */
4967 				return 0;
4968 			}
4969 			if(nonexist) {
4970 				/* it was removal of a nonexisting RR */
4971 				if(verbosity>=4) log_rrlist_position(
4972 					"IXFR error nonexistent RR",
4973 					rr_chunk, rr_dname, rr_type, rr_counter);
4974 				softfail = 1;
4975 			}
4976 		} else if(rr_counter != 0) {
4977 			/* skip first SOA RR for addition, it is added in
4978 			 * the addition part near the end of the ixfr, when
4979 			 * that serial is seen the second time. */
4980 			int duplicate = 0;
4981 			/* add this RR */
4982 			if(!az_insert_rr_decompress(z, rr_chunk->data,
4983 				rr_chunk->len, scratch_buffer, rr_dname,
4984 				rr_type, rr_class, rr_ttl, rr_rdata, rr_rdlen,
4985 				&duplicate)) {
4986 				/* failed, malloc error or so */
4987 				return 0;
4988 			}
4989 			if(duplicate) {
4990 				/* it was a duplicate */
4991 				if(verbosity>=4) log_rrlist_position(
4992 					"IXFR error duplicate RR",
4993 					rr_chunk, rr_dname, rr_type, rr_counter);
4994 				softfail = 1;
4995 			}
4996 		}
4997 
4998 		rr_counter++;
4999 		chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
5000 	}
5001 	if(softfail) {
5002 		verbose(VERB_ALGO, "IXFR did not apply cleanly, fetching full zone");
5003 		return 0;
5004 	}
5005 	return 1;
5006 }
5007 
5008 /** apply AXFR to zone in memory. z is locked. false on failure(mallocfail) */
5009 static int
5010 apply_axfr(struct auth_xfer* xfr, struct auth_zone* z,
5011 	struct sldns_buffer* scratch_buffer)
5012 {
5013 	struct auth_chunk* rr_chunk;
5014 	int rr_num;
5015 	size_t rr_pos;
5016 	uint8_t* rr_dname, *rr_rdata;
5017 	uint16_t rr_type, rr_class, rr_rdlen;
5018 	uint32_t rr_ttl;
5019 	uint32_t serial = 0;
5020 	size_t rr_nextpos;
5021 	size_t rr_counter = 0;
5022 	int have_end_soa = 0;
5023 
5024 	/* clear the data tree */
5025 	traverse_postorder(&z->data, auth_data_del, NULL);
5026 	rbtree_init(&z->data, &auth_data_cmp);
5027 	/* clear the RPZ policies */
5028 	if(z->rpz)
5029 		rpz_clear(z->rpz);
5030 
5031 	xfr->have_zone = 0;
5032 	xfr->serial = 0;
5033 
5034 	/* insert all RRs in to the zone */
5035 	/* insert the SOA only once, skip the last one */
5036 	/* start RR iterator over chunklist of packets */
5037 	chunk_rrlist_start(xfr, &rr_chunk, &rr_num, &rr_pos);
5038 	while(!chunk_rrlist_end(rr_chunk, rr_num)) {
5039 		if(!chunk_rrlist_get_current(rr_chunk, rr_num, rr_pos,
5040 			&rr_dname, &rr_type, &rr_class, &rr_ttl, &rr_rdlen,
5041 			&rr_rdata, &rr_nextpos)) {
5042 			/* failed to parse RR */
5043 			return 0;
5044 		}
5045 		if(verbosity>=7) log_rrlist_position("apply_axfr",
5046 			rr_chunk, rr_dname, rr_type, rr_counter);
5047 		if(rr_type == LDNS_RR_TYPE_SOA) {
5048 			if(rr_counter != 0) {
5049 				/* end of the axfr */
5050 				have_end_soa = 1;
5051 				break;
5052 			}
5053 			if(rr_rdlen < 22) return 0; /* bad SOA rdlen */
5054 			serial = sldns_read_uint32(rr_rdata+rr_rdlen-20);
5055 		}
5056 
5057 		/* add this RR */
5058 		if(!az_insert_rr_decompress(z, rr_chunk->data, rr_chunk->len,
5059 			scratch_buffer, rr_dname, rr_type, rr_class, rr_ttl,
5060 			rr_rdata, rr_rdlen, NULL)) {
5061 			/* failed, malloc error or so */
5062 			return 0;
5063 		}
5064 
5065 		rr_counter++;
5066 		chunk_rrlist_gonext(&rr_chunk, &rr_num, &rr_pos, rr_nextpos);
5067 	}
5068 	if(!have_end_soa) {
5069 		log_err("no end SOA record for AXFR");
5070 		return 0;
5071 	}
5072 
5073 	xfr->serial = serial;
5074 	xfr->have_zone = 1;
5075 	return 1;
5076 }
5077 
5078 /** apply HTTP to zone in memory. z is locked. false on failure(mallocfail) */
5079 static int
5080 apply_http(struct auth_xfer* xfr, struct auth_zone* z,
5081 	struct sldns_buffer* scratch_buffer)
5082 {
5083 	/* parse data in chunks */
5084 	/* parse RR's and read into memory. ignore $INCLUDE from the
5085 	 * downloaded file*/
5086 	struct sldns_file_parse_state pstate;
5087 	struct auth_chunk* chunk;
5088 	size_t chunk_pos;
5089 	int ret;
5090 	memset(&pstate, 0, sizeof(pstate));
5091 	pstate.default_ttl = 3600;
5092 	if(xfr->namelen < sizeof(pstate.origin)) {
5093 		pstate.origin_len = xfr->namelen;
5094 		memmove(pstate.origin, xfr->name, xfr->namelen);
5095 	}
5096 
5097 	if(verbosity >= VERB_ALGO)
5098 		verbose(VERB_ALGO, "http download %s of size %d",
5099 		xfr->task_transfer->master->file,
5100 		(int)chunklist_sum(xfr->task_transfer->chunks_first));
5101 	if(xfr->task_transfer->chunks_first && verbosity >= VERB_ALGO) {
5102 		char preview[1024];
5103 		if(xfr->task_transfer->chunks_first->len+1 > sizeof(preview)) {
5104 			memmove(preview, xfr->task_transfer->chunks_first->data,
5105 				sizeof(preview)-1);
5106 			preview[sizeof(preview)-1]=0;
5107 		} else {
5108 			memmove(preview, xfr->task_transfer->chunks_first->data,
5109 				xfr->task_transfer->chunks_first->len);
5110 			preview[xfr->task_transfer->chunks_first->len]=0;
5111 		}
5112 		log_info("auth zone http downloaded content preview: %s",
5113 			preview);
5114 	}
5115 
5116 	/* perhaps a little syntax check before we try to apply the data? */
5117 	if(!http_zonefile_syntax_check(xfr, scratch_buffer)) {
5118 		log_err("http download %s/%s does not contain a zonefile, "
5119 			"but got '%s'", xfr->task_transfer->master->host,
5120 			xfr->task_transfer->master->file,
5121 			sldns_buffer_begin(scratch_buffer));
5122 		return 0;
5123 	}
5124 
5125 	/* clear the data tree */
5126 	traverse_postorder(&z->data, auth_data_del, NULL);
5127 	rbtree_init(&z->data, &auth_data_cmp);
5128 	/* clear the RPZ policies */
5129 	if(z->rpz)
5130 		rpz_clear(z->rpz);
5131 
5132 	xfr->have_zone = 0;
5133 	xfr->serial = 0;
5134 
5135 	chunk = xfr->task_transfer->chunks_first;
5136 	chunk_pos = 0;
5137 	pstate.lineno = 0;
5138 	while(chunkline_get_line_collated(&chunk, &chunk_pos, scratch_buffer)) {
5139 		/* process this line */
5140 		pstate.lineno++;
5141 		chunkline_newline_removal(scratch_buffer);
5142 		if(chunkline_is_comment_line_or_empty(scratch_buffer)) {
5143 			continue;
5144 		}
5145 		/* parse line and add RR */
5146 		if((ret=http_parse_origin(scratch_buffer, &pstate))!=0) {
5147 			if(ret == 2) {
5148 				verbose(VERB_ALGO, "error parsing ORIGIN on line [%s:%d] %s",
5149 					xfr->task_transfer->master->file,
5150 					pstate.lineno,
5151 					sldns_buffer_begin(scratch_buffer));
5152 				return 0;
5153 			}
5154 			continue; /* $ORIGIN has been handled */
5155 		}
5156 		if((ret=http_parse_ttl(scratch_buffer, &pstate))!=0) {
5157 			if(ret == 2) {
5158 				verbose(VERB_ALGO, "error parsing TTL on line [%s:%d] %s",
5159 					xfr->task_transfer->master->file,
5160 					pstate.lineno,
5161 					sldns_buffer_begin(scratch_buffer));
5162 				return 0;
5163 			}
5164 			continue; /* $TTL has been handled */
5165 		}
5166 		if(!http_parse_add_rr(xfr, z, scratch_buffer, &pstate)) {
5167 			verbose(VERB_ALGO, "error parsing line [%s:%d] %s",
5168 				xfr->task_transfer->master->file,
5169 				pstate.lineno,
5170 				sldns_buffer_begin(scratch_buffer));
5171 			return 0;
5172 		}
5173 	}
5174 	return 1;
5175 }
5176 
5177 /** write http chunks to zonefile to create downloaded file */
5178 static int
5179 auth_zone_write_chunks(struct auth_xfer* xfr, const char* fname)
5180 {
5181 	FILE* out;
5182 	struct auth_chunk* p;
5183 	out = fopen(fname, "w");
5184 	if(!out) {
5185 		log_err("could not open %s: %s", fname, strerror(errno));
5186 		return 0;
5187 	}
5188 	for(p = xfr->task_transfer->chunks_first; p ; p = p->next) {
5189 		if(!write_out(out, (char*)p->data, p->len)) {
5190 			log_err("could not write http download to %s", fname);
5191 			fclose(out);
5192 			return 0;
5193 		}
5194 	}
5195 	fclose(out);
5196 	return 1;
5197 }
5198 
5199 /** write to zonefile after zone has been updated */
5200 static void
5201 xfr_write_after_update(struct auth_xfer* xfr, struct module_env* env)
5202 {
5203 	struct config_file* cfg = env->cfg;
5204 	struct auth_zone* z;
5205 	char tmpfile[1024];
5206 	char* zfilename;
5207 	lock_basic_unlock(&xfr->lock);
5208 
5209 	/* get lock again, so it is a readlock and concurrently queries
5210 	 * can be answered */
5211 	lock_rw_rdlock(&env->auth_zones->lock);
5212 	z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
5213 		xfr->dclass);
5214 	if(!z) {
5215 		lock_rw_unlock(&env->auth_zones->lock);
5216 		/* the zone is gone, ignore xfr results */
5217 		lock_basic_lock(&xfr->lock);
5218 		return;
5219 	}
5220 	lock_rw_rdlock(&z->lock);
5221 	lock_basic_lock(&xfr->lock);
5222 	lock_rw_unlock(&env->auth_zones->lock);
5223 
5224 	if(z->zonefile == NULL || z->zonefile[0] == 0) {
5225 		lock_rw_unlock(&z->lock);
5226 		/* no write needed, no zonefile set */
5227 		return;
5228 	}
5229 	zfilename = z->zonefile;
5230 	if(cfg->chrootdir && cfg->chrootdir[0] && strncmp(zfilename,
5231 		cfg->chrootdir, strlen(cfg->chrootdir)) == 0)
5232 		zfilename += strlen(cfg->chrootdir);
5233 	if(verbosity >= VERB_ALGO) {
5234 		char nm[255+1];
5235 		dname_str(z->name, nm);
5236 		verbose(VERB_ALGO, "write zonefile %s for %s", zfilename, nm);
5237 	}
5238 
5239 	/* write to tempfile first */
5240 	if((size_t)strlen(zfilename) + 16 > sizeof(tmpfile)) {
5241 		verbose(VERB_ALGO, "tmpfilename too long, cannot update "
5242 			" zonefile %s", zfilename);
5243 		lock_rw_unlock(&z->lock);
5244 		return;
5245 	}
5246 	snprintf(tmpfile, sizeof(tmpfile), "%s.tmp%u", zfilename,
5247 		(unsigned)getpid());
5248 	if(xfr->task_transfer->master->http) {
5249 		/* use the stored chunk list to write them */
5250 		if(!auth_zone_write_chunks(xfr, tmpfile)) {
5251 			unlink(tmpfile);
5252 			lock_rw_unlock(&z->lock);
5253 			return;
5254 		}
5255 	} else if(!auth_zone_write_file(z, tmpfile)) {
5256 		unlink(tmpfile);
5257 		lock_rw_unlock(&z->lock);
5258 		return;
5259 	}
5260 #ifdef UB_ON_WINDOWS
5261 	(void)unlink(zfilename); /* windows does not replace file with rename() */
5262 #endif
5263 	if(rename(tmpfile, zfilename) < 0) {
5264 		log_err("could not rename(%s, %s): %s", tmpfile, zfilename,
5265 			strerror(errno));
5266 		unlink(tmpfile);
5267 		lock_rw_unlock(&z->lock);
5268 		return;
5269 	}
5270 	lock_rw_unlock(&z->lock);
5271 }
5272 
5273 /** reacquire locks and structures. Starts with no locks, ends
5274  * with xfr and z locks, if fail, no z lock */
5275 static int xfr_process_reacquire_locks(struct auth_xfer* xfr,
5276 	struct module_env* env, struct auth_zone** z)
5277 {
5278 	/* release xfr lock, then, while holding az->lock grab both
5279 	 * z->lock and xfr->lock */
5280 	lock_rw_rdlock(&env->auth_zones->lock);
5281 	*z = auth_zone_find(env->auth_zones, xfr->name, xfr->namelen,
5282 		xfr->dclass);
5283 	if(!*z) {
5284 		lock_rw_unlock(&env->auth_zones->lock);
5285 		lock_basic_lock(&xfr->lock);
5286 		*z = NULL;
5287 		return 0;
5288 	}
5289 	lock_rw_wrlock(&(*z)->lock);
5290 	lock_basic_lock(&xfr->lock);
5291 	lock_rw_unlock(&env->auth_zones->lock);
5292 	return 1;
5293 }
5294 
5295 /** process chunk list and update zone in memory,
5296  * return false if it did not work */
5297 static int
5298 xfr_process_chunk_list(struct auth_xfer* xfr, struct module_env* env,
5299 	int* ixfr_fail)
5300 {
5301 	struct auth_zone* z;
5302 
5303 	/* obtain locks and structures */
5304 	lock_basic_unlock(&xfr->lock);
5305 	if(!xfr_process_reacquire_locks(xfr, env, &z)) {
5306 		/* the zone is gone, ignore xfr results */
5307 		return 0;
5308 	}
5309 	/* holding xfr and z locks */
5310 
5311 	/* apply data */
5312 	if(xfr->task_transfer->master->http) {
5313 		if(!apply_http(xfr, z, env->scratch_buffer)) {
5314 			lock_rw_unlock(&z->lock);
5315 			verbose(VERB_ALGO, "http from %s: could not store data",
5316 				xfr->task_transfer->master->host);
5317 			return 0;
5318 		}
5319 	} else if(xfr->task_transfer->on_ixfr &&
5320 		!xfr->task_transfer->on_ixfr_is_axfr) {
5321 		if(!apply_ixfr(xfr, z, env->scratch_buffer)) {
5322 			lock_rw_unlock(&z->lock);
5323 			verbose(VERB_ALGO, "xfr from %s: could not store IXFR"
5324 				" data", xfr->task_transfer->master->host);
5325 			*ixfr_fail = 1;
5326 			return 0;
5327 		}
5328 	} else {
5329 		if(!apply_axfr(xfr, z, env->scratch_buffer)) {
5330 			lock_rw_unlock(&z->lock);
5331 			verbose(VERB_ALGO, "xfr from %s: could not store AXFR"
5332 				" data", xfr->task_transfer->master->host);
5333 			return 0;
5334 		}
5335 	}
5336 	xfr->zone_expired = 0;
5337 	z->zone_expired = 0;
5338 	if(!xfr_find_soa(z, xfr)) {
5339 		lock_rw_unlock(&z->lock);
5340 		verbose(VERB_ALGO, "xfr from %s: no SOA in zone after update"
5341 			" (or malformed RR)", xfr->task_transfer->master->host);
5342 		return 0;
5343 	}
5344 
5345 	/* release xfr lock while verifying zonemd because it may have
5346 	 * to spawn lookups in the state machines */
5347 	lock_basic_unlock(&xfr->lock);
5348 	/* holding z lock */
5349 	auth_zone_verify_zonemd(z, env, &env->mesh->mods, NULL, 0, 0);
5350 	if(z->zone_expired) {
5351 		char zname[256];
5352 		/* ZONEMD must have failed */
5353 		/* reacquire locks, so we hold xfr lock on exit of routine,
5354 		 * and both xfr and z again after releasing xfr for potential
5355 		 * state machine mesh callbacks */
5356 		lock_rw_unlock(&z->lock);
5357 		if(!xfr_process_reacquire_locks(xfr, env, &z))
5358 			return 0;
5359 		dname_str(xfr->name, zname);
5360 		verbose(VERB_ALGO, "xfr from %s: ZONEMD failed for %s, transfer is failed", xfr->task_transfer->master->host, zname);
5361 		xfr->zone_expired = 1;
5362 		lock_rw_unlock(&z->lock);
5363 		return 0;
5364 	}
5365 	/* reacquire locks, so we hold xfr lock on exit of routine,
5366 	 * and both xfr and z again after releasing xfr for potential
5367 	 * state machine mesh callbacks */
5368 	lock_rw_unlock(&z->lock);
5369 	if(!xfr_process_reacquire_locks(xfr, env, &z))
5370 		return 0;
5371 	/* holding xfr and z locks */
5372 
5373 	if(xfr->have_zone)
5374 		xfr->lease_time = *env->now;
5375 
5376 	if(z->rpz)
5377 		rpz_finish_config(z->rpz);
5378 
5379 	/* unlock */
5380 	lock_rw_unlock(&z->lock);
5381 
5382 	if(verbosity >= VERB_QUERY && xfr->have_zone) {
5383 		char zname[256];
5384 		dname_str(xfr->name, zname);
5385 		verbose(VERB_QUERY, "auth zone %s updated to serial %u", zname,
5386 			(unsigned)xfr->serial);
5387 	}
5388 	/* see if we need to write to a zonefile */
5389 	xfr_write_after_update(xfr, env);
5390 	return 1;
5391 }
5392 
5393 /** disown task_transfer.  caller must hold xfr.lock */
5394 static void
5395 xfr_transfer_disown(struct auth_xfer* xfr)
5396 {
5397 	/* remove timer (from this worker's event base) */
5398 	comm_timer_delete(xfr->task_transfer->timer);
5399 	xfr->task_transfer->timer = NULL;
5400 	/* remove the commpoint */
5401 	comm_point_delete(xfr->task_transfer->cp);
5402 	xfr->task_transfer->cp = NULL;
5403 	/* we don't own this item anymore */
5404 	xfr->task_transfer->worker = NULL;
5405 	xfr->task_transfer->env = NULL;
5406 }
5407 
5408 /** lookup a host name for its addresses, if needed */
5409 static int
5410 xfr_transfer_lookup_host(struct auth_xfer* xfr, struct module_env* env)
5411 {
5412 	struct sockaddr_storage addr;
5413 	socklen_t addrlen = 0;
5414 	struct auth_master* master = xfr->task_transfer->lookup_target;
5415 	struct query_info qinfo;
5416 	uint16_t qflags = BIT_RD;
5417 	uint8_t dname[LDNS_MAX_DOMAINLEN+1];
5418 	struct edns_data edns;
5419 	sldns_buffer* buf = env->scratch_buffer;
5420 	if(!master) return 0;
5421 	if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
5422 		/* not needed, host is in IP addr format */
5423 		return 0;
5424 	}
5425 	if(master->allow_notify)
5426 		return 0; /* allow-notifies are not transferred from, no
5427 		lookup is needed */
5428 
5429 	/* use mesh_new_callback to probe for non-addr hosts,
5430 	 * and then wait for them to be looked up (in cache, or query) */
5431 	qinfo.qname_len = sizeof(dname);
5432 	if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
5433 		!= 0) {
5434 		log_err("cannot parse host name of master %s", master->host);
5435 		return 0;
5436 	}
5437 	qinfo.qname = dname;
5438 	qinfo.qclass = xfr->dclass;
5439 	qinfo.qtype = LDNS_RR_TYPE_A;
5440 	if(xfr->task_transfer->lookup_aaaa)
5441 		qinfo.qtype = LDNS_RR_TYPE_AAAA;
5442 	qinfo.local_alias = NULL;
5443 	if(verbosity >= VERB_ALGO) {
5444 		char buf1[512];
5445 		char buf2[LDNS_MAX_DOMAINLEN+1];
5446 		dname_str(xfr->name, buf2);
5447 		snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
5448 			" for task_transfer", buf2);
5449 		log_query_info(VERB_ALGO, buf1, &qinfo);
5450 	}
5451 	edns.edns_present = 1;
5452 	edns.ext_rcode = 0;
5453 	edns.edns_version = 0;
5454 	edns.bits = EDNS_DO;
5455 	edns.opt_list_in = NULL;
5456 	edns.opt_list_out = NULL;
5457 	edns.opt_list_inplace_cb_out = NULL;
5458 	edns.padding_block_size = 0;
5459 	edns.cookie_present = 0;
5460 	edns.cookie_valid = 0;
5461 	if(sldns_buffer_capacity(buf) < 65535)
5462 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
5463 	else	edns.udp_size = 65535;
5464 
5465 	/* unlock xfr during mesh_new_callback() because the callback can be
5466 	 * called straight away */
5467 	lock_basic_unlock(&xfr->lock);
5468 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
5469 		&auth_xfer_transfer_lookup_callback, xfr, 0)) {
5470 		lock_basic_lock(&xfr->lock);
5471 		log_err("out of memory lookup up master %s", master->host);
5472 		return 0;
5473 	}
5474 	lock_basic_lock(&xfr->lock);
5475 	return 1;
5476 }
5477 
5478 /** initiate TCP to the target and fetch zone.
5479  * returns true if that was successfully started, and timeout setup. */
5480 static int
5481 xfr_transfer_init_fetch(struct auth_xfer* xfr, struct module_env* env)
5482 {
5483 	struct sockaddr_storage addr;
5484 	socklen_t addrlen = 0;
5485 	struct auth_master* master = xfr->task_transfer->master;
5486 	char *auth_name = NULL;
5487 	struct timeval t;
5488 	int timeout;
5489 	if(!master) return 0;
5490 	if(master->allow_notify) return 0; /* only for notify */
5491 
5492 	/* get master addr */
5493 	if(xfr->task_transfer->scan_addr) {
5494 		addrlen = xfr->task_transfer->scan_addr->addrlen;
5495 		memmove(&addr, &xfr->task_transfer->scan_addr->addr, addrlen);
5496 	} else {
5497 		if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
5498 			/* the ones that are not in addr format are supposed
5499 			 * to be looked up.  The lookup has failed however,
5500 			 * so skip them */
5501 			char zname[255+1];
5502 			dname_str(xfr->name, zname);
5503 			log_err("%s: failed lookup, cannot transfer from master %s",
5504 				zname, master->host);
5505 			return 0;
5506 		}
5507 	}
5508 
5509 	/* remove previous TCP connection (if any) */
5510 	if(xfr->task_transfer->cp) {
5511 		comm_point_delete(xfr->task_transfer->cp);
5512 		xfr->task_transfer->cp = NULL;
5513 	}
5514 	if(!xfr->task_transfer->timer) {
5515 		xfr->task_transfer->timer = comm_timer_create(env->worker_base,
5516 			auth_xfer_transfer_timer_callback, xfr);
5517 		if(!xfr->task_transfer->timer) {
5518 			log_err("malloc failure");
5519 			return 0;
5520 		}
5521 	}
5522 	timeout = AUTH_TRANSFER_TIMEOUT;
5523 #ifndef S_SPLINT_S
5524         t.tv_sec = timeout/1000;
5525         t.tv_usec = (timeout%1000)*1000;
5526 #endif
5527 
5528 	if(master->http) {
5529 		/* perform http fetch */
5530 		/* store http port number into sockaddr,
5531 		 * unless someone used unbound's host@port notation */
5532 		xfr->task_transfer->on_ixfr = 0;
5533 		if(strchr(master->host, '@') == NULL)
5534 			sockaddr_store_port(&addr, addrlen, master->port);
5535 		xfr->task_transfer->cp = outnet_comm_point_for_http(
5536 			env->outnet, auth_xfer_transfer_http_callback, xfr,
5537 			&addr, addrlen, -1, master->ssl, master->host,
5538 			master->file, env->cfg);
5539 		if(!xfr->task_transfer->cp) {
5540 			char zname[255+1], as[256];
5541 			dname_str(xfr->name, zname);
5542 			addr_port_to_str(&addr, addrlen, as, sizeof(as));
5543 			verbose(VERB_ALGO, "cannot create http cp "
5544 				"connection for %s to %s", zname, as);
5545 			return 0;
5546 		}
5547 		comm_timer_set(xfr->task_transfer->timer, &t);
5548 		if(verbosity >= VERB_ALGO) {
5549 			char zname[255+1], as[256];
5550 			dname_str(xfr->name, zname);
5551 			addr_port_to_str(&addr, addrlen, as, sizeof(as));
5552 			verbose(VERB_ALGO, "auth zone %s transfer next HTTP fetch from %s started", zname, as);
5553 		}
5554 		/* Create or refresh the list of allow_notify addrs */
5555 		probe_copy_masters_for_allow_notify(xfr);
5556 		return 1;
5557 	}
5558 
5559 	/* perform AXFR/IXFR */
5560 	/* set the packet to be written */
5561 	/* create new ID */
5562 	xfr->task_transfer->id = GET_RANDOM_ID(env->rnd);
5563 	xfr_create_ixfr_packet(xfr, env->scratch_buffer,
5564 		xfr->task_transfer->id, master);
5565 
5566 	/* connect on fd */
5567 	xfr->task_transfer->cp = outnet_comm_point_for_tcp(env->outnet,
5568 		auth_xfer_transfer_tcp_callback, xfr, &addr, addrlen,
5569 		env->scratch_buffer, -1,
5570 		auth_name != NULL, auth_name);
5571 	if(!xfr->task_transfer->cp) {
5572 		char zname[255+1], as[256];
5573  		dname_str(xfr->name, zname);
5574 		addr_port_to_str(&addr, addrlen, as, sizeof(as));
5575 		verbose(VERB_ALGO, "cannot create tcp cp connection for "
5576 			"xfr %s to %s", zname, as);
5577 		return 0;
5578 	}
5579 	comm_timer_set(xfr->task_transfer->timer, &t);
5580 	if(verbosity >= VERB_ALGO) {
5581 		char zname[255+1], as[256];
5582  		dname_str(xfr->name, zname);
5583 		addr_port_to_str(&addr, addrlen, as, sizeof(as));
5584 		verbose(VERB_ALGO, "auth zone %s transfer next %s fetch from %s started", zname,
5585 			(xfr->task_transfer->on_ixfr?"IXFR":"AXFR"), as);
5586 	}
5587 	return 1;
5588 }
5589 
5590 /** perform next lookup, next transfer TCP, or end and resume wait time task */
5591 static void
5592 xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
5593 {
5594 	log_assert(xfr->task_transfer->worker == env->worker);
5595 
5596 	/* are we performing lookups? */
5597 	while(xfr->task_transfer->lookup_target) {
5598 		if(xfr_transfer_lookup_host(xfr, env)) {
5599 			/* wait for lookup to finish,
5600 			 * note that the hostname may be in unbound's cache
5601 			 * and we may then get an instant cache response,
5602 			 * and that calls the callback just like a full
5603 			 * lookup and lookup failures also call callback */
5604 			if(verbosity >= VERB_ALGO) {
5605 				char zname[255+1];
5606 				dname_str(xfr->name, zname);
5607 				verbose(VERB_ALGO, "auth zone %s transfer next target lookup", zname);
5608 			}
5609 			lock_basic_unlock(&xfr->lock);
5610 			return;
5611 		}
5612 		xfr_transfer_move_to_next_lookup(xfr, env);
5613 	}
5614 
5615 	/* initiate TCP and fetch the zone from the master */
5616 	/* and set timeout on it */
5617 	while(!xfr_transfer_end_of_list(xfr)) {
5618 		xfr->task_transfer->master = xfr_transfer_current_master(xfr);
5619 		if(xfr_transfer_init_fetch(xfr, env)) {
5620 			/* successfully started, wait for callback */
5621 			lock_basic_unlock(&xfr->lock);
5622 			return;
5623 		}
5624 		/* failed to fetch, next master */
5625 		xfr_transfer_nextmaster(xfr);
5626 	}
5627 	if(verbosity >= VERB_ALGO) {
5628 		char zname[255+1];
5629 		dname_str(xfr->name, zname);
5630 		verbose(VERB_ALGO, "auth zone %s transfer failed, wait", zname);
5631 	}
5632 
5633 	/* we failed to fetch the zone, move to wait task
5634 	 * use the shorter retry timeout */
5635 	xfr_transfer_disown(xfr);
5636 
5637 	/* pick up the nextprobe task and wait */
5638 	if(xfr->task_nextprobe->worker == NULL)
5639 		xfr_set_timeout(xfr, env, 1, 0);
5640 	lock_basic_unlock(&xfr->lock);
5641 }
5642 
5643 /** add addrs from A or AAAA rrset to the master */
5644 static void
5645 xfr_master_add_addrs(struct auth_master* m, struct ub_packed_rrset_key* rrset,
5646 	uint16_t rrtype)
5647 {
5648 	size_t i;
5649 	struct packed_rrset_data* data;
5650 	if(!m || !rrset) return;
5651 	if(rrtype != LDNS_RR_TYPE_A && rrtype != LDNS_RR_TYPE_AAAA)
5652 		return;
5653 	data = (struct packed_rrset_data*)rrset->entry.data;
5654 	for(i=0; i<data->count; i++) {
5655 		struct auth_addr* a;
5656 		size_t len = data->rr_len[i] - 2;
5657 		uint8_t* rdata = data->rr_data[i]+2;
5658 		if(rrtype == LDNS_RR_TYPE_A && len != INET_SIZE)
5659 			continue; /* wrong length for A */
5660 		if(rrtype == LDNS_RR_TYPE_AAAA && len != INET6_SIZE)
5661 			continue; /* wrong length for AAAA */
5662 
5663 		/* add and alloc it */
5664 		a = (struct auth_addr*)calloc(1, sizeof(*a));
5665 		if(!a) {
5666 			log_err("out of memory");
5667 			return;
5668 		}
5669 		if(rrtype == LDNS_RR_TYPE_A) {
5670 			struct sockaddr_in* sa;
5671 			a->addrlen = (socklen_t)sizeof(*sa);
5672 			sa = (struct sockaddr_in*)&a->addr;
5673 			sa->sin_family = AF_INET;
5674 			sa->sin_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5675 			memmove(&sa->sin_addr, rdata, INET_SIZE);
5676 		} else {
5677 			struct sockaddr_in6* sa;
5678 			a->addrlen = (socklen_t)sizeof(*sa);
5679 			sa = (struct sockaddr_in6*)&a->addr;
5680 			sa->sin6_family = AF_INET6;
5681 			sa->sin6_port = (in_port_t)htons(UNBOUND_DNS_PORT);
5682 			memmove(&sa->sin6_addr, rdata, INET6_SIZE);
5683 		}
5684 		if(verbosity >= VERB_ALGO) {
5685 			char s[64];
5686 			addr_port_to_str(&a->addr, a->addrlen, s, sizeof(s));
5687 			verbose(VERB_ALGO, "auth host %s lookup %s",
5688 				m->host, s);
5689 		}
5690 		/* append to list */
5691 		a->next = m->list;
5692 		m->list = a;
5693 	}
5694 }
5695 
5696 /** callback for task_transfer lookup of host name, of A or AAAA */
5697 void auth_xfer_transfer_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
5698 	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
5699 	int ATTR_UNUSED(was_ratelimited))
5700 {
5701 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
5702 	struct module_env* env;
5703 	log_assert(xfr->task_transfer);
5704 	lock_basic_lock(&xfr->lock);
5705 	env = xfr->task_transfer->env;
5706 	if(!env || env->outnet->want_to_quit) {
5707 		lock_basic_unlock(&xfr->lock);
5708 		return; /* stop on quit */
5709 	}
5710 
5711 	/* process result */
5712 	if(rcode == LDNS_RCODE_NOERROR) {
5713 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
5714 		struct regional* temp = env->scratch;
5715 		struct query_info rq;
5716 		struct reply_info* rep;
5717 		if(xfr->task_transfer->lookup_aaaa)
5718 			wanted_qtype = LDNS_RR_TYPE_AAAA;
5719 		memset(&rq, 0, sizeof(rq));
5720 		rep = parse_reply_in_temp_region(buf, temp, &rq);
5721 		if(rep && rq.qtype == wanted_qtype &&
5722 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
5723 			/* parsed successfully */
5724 			struct ub_packed_rrset_key* answer =
5725 				reply_find_answer_rrset(&rq, rep);
5726 			if(answer) {
5727 				xfr_master_add_addrs(xfr->task_transfer->
5728 					lookup_target, answer, wanted_qtype);
5729 			} else {
5730 				if(verbosity >= VERB_ALGO) {
5731 					char zname[255+1];
5732 					dname_str(xfr->name, zname);
5733 					verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has nodata", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5734 				}
5735 			}
5736 		} else {
5737 			if(verbosity >= VERB_ALGO) {
5738 				char zname[255+1];
5739 				dname_str(xfr->name, zname);
5740 				verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup has no answer", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5741 			}
5742 		}
5743 		regional_free_all(temp);
5744 	} else {
5745 		if(verbosity >= VERB_ALGO) {
5746 			char zname[255+1];
5747 			dname_str(xfr->name, zname);
5748 			verbose(VERB_ALGO, "auth zone %s host %s type %s transfer lookup failed", zname, xfr->task_transfer->lookup_target->host, (xfr->task_transfer->lookup_aaaa?"AAAA":"A"));
5749 		}
5750 	}
5751 	if(xfr->task_transfer->lookup_target->list &&
5752 		xfr->task_transfer->lookup_target == xfr_transfer_current_master(xfr))
5753 		xfr->task_transfer->scan_addr = xfr->task_transfer->lookup_target->list;
5754 
5755 	/* move to lookup AAAA after A lookup, move to next hostname lookup,
5756 	 * or move to fetch the zone, or, if nothing to do, end task_transfer */
5757 	xfr_transfer_move_to_next_lookup(xfr, env);
5758 	xfr_transfer_nexttarget_or_end(xfr, env);
5759 }
5760 
5761 /** check if xfer (AXFR or IXFR) packet is OK.
5762  * return false if we lost connection (SERVFAIL, or unreadable).
5763  * return false if we need to move from IXFR to AXFR, with gonextonfail
5764  * 	set to false, so the same master is tried again, but with AXFR.
5765  * return true if fine to link into data.
5766  * return true with transferdone=true when the transfer has ended.
5767  */
5768 static int
5769 check_xfer_packet(sldns_buffer* pkt, struct auth_xfer* xfr,
5770 	int* gonextonfail, int* transferdone)
5771 {
5772 	uint8_t* wire = sldns_buffer_begin(pkt);
5773 	int i;
5774 	if(sldns_buffer_limit(pkt) < LDNS_HEADER_SIZE) {
5775 		verbose(VERB_ALGO, "xfr to %s failed, packet too small",
5776 			xfr->task_transfer->master->host);
5777 		return 0;
5778 	}
5779 	if(!LDNS_QR_WIRE(wire)) {
5780 		verbose(VERB_ALGO, "xfr to %s failed, packet has no QR flag",
5781 			xfr->task_transfer->master->host);
5782 		return 0;
5783 	}
5784 	if(LDNS_TC_WIRE(wire)) {
5785 		verbose(VERB_ALGO, "xfr to %s failed, packet has TC flag",
5786 			xfr->task_transfer->master->host);
5787 		return 0;
5788 	}
5789 	/* check ID */
5790 	if(LDNS_ID_WIRE(wire) != xfr->task_transfer->id) {
5791 		verbose(VERB_ALGO, "xfr to %s failed, packet wrong ID",
5792 			xfr->task_transfer->master->host);
5793 		return 0;
5794 	}
5795 	if(LDNS_RCODE_WIRE(wire) != LDNS_RCODE_NOERROR) {
5796 		char rcode[32];
5797 		sldns_wire2str_rcode_buf((int)LDNS_RCODE_WIRE(wire), rcode,
5798 			sizeof(rcode));
5799 		/* if we are doing IXFR, check for fallback */
5800 		if(xfr->task_transfer->on_ixfr) {
5801 			if(LDNS_RCODE_WIRE(wire) == LDNS_RCODE_NOTIMPL ||
5802 				LDNS_RCODE_WIRE(wire) == LDNS_RCODE_SERVFAIL ||
5803 				LDNS_RCODE_WIRE(wire) == LDNS_RCODE_REFUSED ||
5804 				LDNS_RCODE_WIRE(wire) == LDNS_RCODE_FORMERR) {
5805 				verbose(VERB_ALGO, "xfr to %s, fallback "
5806 					"from IXFR to AXFR (with rcode %s)",
5807 					xfr->task_transfer->master->host,
5808 					rcode);
5809 				xfr->task_transfer->ixfr_fail = 1;
5810 				*gonextonfail = 0;
5811 				return 0;
5812 			}
5813 		}
5814 		verbose(VERB_ALGO, "xfr to %s failed, packet with rcode %s",
5815 			xfr->task_transfer->master->host, rcode);
5816 		return 0;
5817 	}
5818 	if(LDNS_OPCODE_WIRE(wire) != LDNS_PACKET_QUERY) {
5819 		verbose(VERB_ALGO, "xfr to %s failed, packet with bad opcode",
5820 			xfr->task_transfer->master->host);
5821 		return 0;
5822 	}
5823 	if(LDNS_QDCOUNT(wire) > 1) {
5824 		verbose(VERB_ALGO, "xfr to %s failed, packet has qdcount %d",
5825 			xfr->task_transfer->master->host,
5826 			(int)LDNS_QDCOUNT(wire));
5827 		return 0;
5828 	}
5829 
5830 	/* check qname */
5831 	sldns_buffer_set_position(pkt, LDNS_HEADER_SIZE);
5832 	for(i=0; i<(int)LDNS_QDCOUNT(wire); i++) {
5833 		size_t pos = sldns_buffer_position(pkt);
5834 		uint16_t qtype, qclass;
5835 		if(pkt_dname_len(pkt) == 0) {
5836 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5837 				"malformed dname",
5838 				xfr->task_transfer->master->host);
5839 			return 0;
5840 		}
5841 		if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5842 			xfr->name) != 0) {
5843 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5844 				"wrong qname",
5845 				xfr->task_transfer->master->host);
5846 			return 0;
5847 		}
5848 		if(sldns_buffer_remaining(pkt) < 4) {
5849 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5850 				"truncated query RR",
5851 				xfr->task_transfer->master->host);
5852 			return 0;
5853 		}
5854 		qtype = sldns_buffer_read_u16(pkt);
5855 		qclass = sldns_buffer_read_u16(pkt);
5856 		if(qclass != xfr->dclass) {
5857 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5858 				"wrong qclass",
5859 				xfr->task_transfer->master->host);
5860 			return 0;
5861 		}
5862 		if(xfr->task_transfer->on_ixfr) {
5863 			if(qtype != LDNS_RR_TYPE_IXFR) {
5864 				verbose(VERB_ALGO, "xfr to %s failed, packet "
5865 					"with wrong qtype, expected IXFR",
5866 				xfr->task_transfer->master->host);
5867 				return 0;
5868 			}
5869 		} else {
5870 			if(qtype != LDNS_RR_TYPE_AXFR) {
5871 				verbose(VERB_ALGO, "xfr to %s failed, packet "
5872 					"with wrong qtype, expected AXFR",
5873 				xfr->task_transfer->master->host);
5874 				return 0;
5875 			}
5876 		}
5877 	}
5878 
5879 	/* check parse of RRs in packet, store first SOA serial
5880 	 * to be able to detect last SOA (with that serial) to see if done */
5881 	/* also check for IXFR 'zone up to date' reply */
5882 	for(i=0; i<(int)LDNS_ANCOUNT(wire); i++) {
5883 		size_t pos = sldns_buffer_position(pkt);
5884 		uint16_t tp, rdlen;
5885 		if(pkt_dname_len(pkt) == 0) {
5886 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5887 				"malformed dname in answer section",
5888 				xfr->task_transfer->master->host);
5889 			return 0;
5890 		}
5891 		if(sldns_buffer_remaining(pkt) < 10) {
5892 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5893 				"truncated RR",
5894 				xfr->task_transfer->master->host);
5895 			return 0;
5896 		}
5897 		tp = sldns_buffer_read_u16(pkt);
5898 		(void)sldns_buffer_read_u16(pkt); /* class */
5899 		(void)sldns_buffer_read_u32(pkt); /* ttl */
5900 		rdlen = sldns_buffer_read_u16(pkt);
5901 		if(sldns_buffer_remaining(pkt) < rdlen) {
5902 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5903 				"truncated RR rdata",
5904 				xfr->task_transfer->master->host);
5905 			return 0;
5906 		}
5907 
5908 		/* RR parses (haven't checked rdata itself), now look at
5909 		 * SOA records to see serial number */
5910 		if(xfr->task_transfer->rr_scan_num == 0 &&
5911 			tp != LDNS_RR_TYPE_SOA) {
5912 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
5913 				"malformed zone transfer, no start SOA",
5914 				xfr->task_transfer->master->host);
5915 			return 0;
5916 		}
5917 		if(xfr->task_transfer->rr_scan_num == 1 &&
5918 			tp != LDNS_RR_TYPE_SOA) {
5919 			/* second RR is not a SOA record, this is not an IXFR
5920 			 * the master is replying with an AXFR */
5921 			xfr->task_transfer->on_ixfr_is_axfr = 1;
5922 		}
5923 		if(tp == LDNS_RR_TYPE_SOA) {
5924 			uint32_t serial;
5925 			if(rdlen < 22) {
5926 				verbose(VERB_ALGO, "xfr to %s failed, packet "
5927 					"with SOA with malformed rdata",
5928 					xfr->task_transfer->master->host);
5929 				return 0;
5930 			}
5931 			if(dname_pkt_compare(pkt, sldns_buffer_at(pkt, pos),
5932 				xfr->name) != 0) {
5933 				verbose(VERB_ALGO, "xfr to %s failed, packet "
5934 					"with SOA with wrong dname",
5935 					xfr->task_transfer->master->host);
5936 				return 0;
5937 			}
5938 
5939 			/* read serial number of SOA */
5940 			serial = sldns_buffer_read_u32_at(pkt,
5941 				sldns_buffer_position(pkt)+rdlen-20);
5942 
5943 			/* check for IXFR 'zone has SOA x' reply */
5944 			if(xfr->task_transfer->on_ixfr &&
5945 				xfr->task_transfer->rr_scan_num == 0 &&
5946 				LDNS_ANCOUNT(wire)==1) {
5947 				verbose(VERB_ALGO, "xfr to %s ended, "
5948 					"IXFR reply that zone has serial %u,"
5949 					" fallback from IXFR to AXFR",
5950 					xfr->task_transfer->master->host,
5951 					(unsigned)serial);
5952 				xfr->task_transfer->ixfr_fail = 1;
5953 				*gonextonfail = 0;
5954 				return 0;
5955 			}
5956 
5957 			/* if first SOA, store serial number */
5958 			if(xfr->task_transfer->got_xfr_serial == 0) {
5959 				xfr->task_transfer->got_xfr_serial = 1;
5960 				xfr->task_transfer->incoming_xfr_serial =
5961 					serial;
5962 				verbose(VERB_ALGO, "xfr %s: contains "
5963 					"SOA serial %u",
5964 					xfr->task_transfer->master->host,
5965 					(unsigned)serial);
5966 			/* see if end of AXFR */
5967 			} else if(!xfr->task_transfer->on_ixfr ||
5968 				xfr->task_transfer->on_ixfr_is_axfr) {
5969 				/* second SOA with serial is the end
5970 				 * for AXFR */
5971 				*transferdone = 1;
5972 				verbose(VERB_ALGO, "xfr %s: last AXFR packet",
5973 					xfr->task_transfer->master->host);
5974 			/* for IXFR, count SOA records with that serial */
5975 			} else if(xfr->task_transfer->incoming_xfr_serial ==
5976 				serial && xfr->task_transfer->got_xfr_serial
5977 				== 1) {
5978 				xfr->task_transfer->got_xfr_serial++;
5979 			/* if not first soa, if serial==firstserial, the
5980 			 * third time we are at the end, for IXFR */
5981 			} else if(xfr->task_transfer->incoming_xfr_serial ==
5982 				serial && xfr->task_transfer->got_xfr_serial
5983 				== 2) {
5984 				verbose(VERB_ALGO, "xfr %s: last IXFR packet",
5985 					xfr->task_transfer->master->host);
5986 				*transferdone = 1;
5987 				/* continue parse check, if that succeeds,
5988 				 * transfer is done */
5989 			}
5990 		}
5991 		xfr->task_transfer->rr_scan_num++;
5992 
5993 		/* skip over RR rdata to go to the next RR */
5994 		sldns_buffer_skip(pkt, (ssize_t)rdlen);
5995 	}
5996 
5997 	/* check authority section */
5998 	/* we skip over the RRs checking packet format */
5999 	for(i=0; i<(int)LDNS_NSCOUNT(wire); i++) {
6000 		uint16_t rdlen;
6001 		if(pkt_dname_len(pkt) == 0) {
6002 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6003 				"malformed dname in authority section",
6004 				xfr->task_transfer->master->host);
6005 			return 0;
6006 		}
6007 		if(sldns_buffer_remaining(pkt) < 10) {
6008 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6009 				"truncated RR",
6010 				xfr->task_transfer->master->host);
6011 			return 0;
6012 		}
6013 		(void)sldns_buffer_read_u16(pkt); /* type */
6014 		(void)sldns_buffer_read_u16(pkt); /* class */
6015 		(void)sldns_buffer_read_u32(pkt); /* ttl */
6016 		rdlen = sldns_buffer_read_u16(pkt);
6017 		if(sldns_buffer_remaining(pkt) < rdlen) {
6018 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6019 				"truncated RR rdata",
6020 				xfr->task_transfer->master->host);
6021 			return 0;
6022 		}
6023 		/* skip over RR rdata to go to the next RR */
6024 		sldns_buffer_skip(pkt, (ssize_t)rdlen);
6025 	}
6026 
6027 	/* check additional section */
6028 	for(i=0; i<(int)LDNS_ARCOUNT(wire); i++) {
6029 		uint16_t rdlen;
6030 		if(pkt_dname_len(pkt) == 0) {
6031 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6032 				"malformed dname in additional section",
6033 				xfr->task_transfer->master->host);
6034 			return 0;
6035 		}
6036 		if(sldns_buffer_remaining(pkt) < 10) {
6037 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6038 				"truncated RR",
6039 				xfr->task_transfer->master->host);
6040 			return 0;
6041 		}
6042 		(void)sldns_buffer_read_u16(pkt); /* type */
6043 		(void)sldns_buffer_read_u16(pkt); /* class */
6044 		(void)sldns_buffer_read_u32(pkt); /* ttl */
6045 		rdlen = sldns_buffer_read_u16(pkt);
6046 		if(sldns_buffer_remaining(pkt) < rdlen) {
6047 			verbose(VERB_ALGO, "xfr to %s failed, packet with "
6048 				"truncated RR rdata",
6049 				xfr->task_transfer->master->host);
6050 			return 0;
6051 		}
6052 		/* skip over RR rdata to go to the next RR */
6053 		sldns_buffer_skip(pkt, (ssize_t)rdlen);
6054 	}
6055 
6056 	return 1;
6057 }
6058 
6059 /** Link the data from this packet into the worklist of transferred data */
6060 static int
6061 xfer_link_data(sldns_buffer* pkt, struct auth_xfer* xfr)
6062 {
6063 	/* alloc it */
6064 	struct auth_chunk* e;
6065 	e = (struct auth_chunk*)calloc(1, sizeof(*e));
6066 	if(!e) return 0;
6067 	e->next = NULL;
6068 	e->len = sldns_buffer_limit(pkt);
6069 	e->data = memdup(sldns_buffer_begin(pkt), e->len);
6070 	if(!e->data) {
6071 		free(e);
6072 		return 0;
6073 	}
6074 
6075 	/* alloc succeeded, link into list */
6076 	if(!xfr->task_transfer->chunks_first)
6077 		xfr->task_transfer->chunks_first = e;
6078 	if(xfr->task_transfer->chunks_last)
6079 		xfr->task_transfer->chunks_last->next = e;
6080 	xfr->task_transfer->chunks_last = e;
6081 	return 1;
6082 }
6083 
6084 /** task transfer.  the list of data is complete. process it and if failed
6085  * move to next master, if succeeded, end the task transfer */
6086 static void
6087 process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env)
6088 {
6089 	int ixfr_fail = 0;
6090 	if(xfr_process_chunk_list(xfr, env, &ixfr_fail)) {
6091 		/* it worked! */
6092 		auth_chunks_delete(xfr->task_transfer);
6093 
6094 		/* we fetched the zone, move to wait task */
6095 		xfr_transfer_disown(xfr);
6096 
6097 		if(xfr->notify_received && (!xfr->notify_has_serial ||
6098 			(xfr->notify_has_serial &&
6099 			xfr_serial_means_update(xfr, xfr->notify_serial)))) {
6100 			uint32_t sr = xfr->notify_serial;
6101 			int has_sr = xfr->notify_has_serial;
6102 			/* we received a notify while probe/transfer was
6103 			 * in progress.  start a new probe and transfer */
6104 			xfr->notify_received = 0;
6105 			xfr->notify_has_serial = 0;
6106 			xfr->notify_serial = 0;
6107 			if(!xfr_start_probe(xfr, env, NULL)) {
6108 				/* if we couldn't start it, already in
6109 				 * progress; restore notify serial,
6110 				 * while xfr still locked */
6111 				xfr->notify_received = 1;
6112 				xfr->notify_has_serial = has_sr;
6113 				xfr->notify_serial = sr;
6114 				lock_basic_unlock(&xfr->lock);
6115 			}
6116 			return;
6117 		} else {
6118 			/* pick up the nextprobe task and wait (normail wait time) */
6119 			if(xfr->task_nextprobe->worker == NULL)
6120 				xfr_set_timeout(xfr, env, 0, 0);
6121 		}
6122 		lock_basic_unlock(&xfr->lock);
6123 		return;
6124 	}
6125 	/* processing failed */
6126 	/* when done, delete data from list */
6127 	auth_chunks_delete(xfr->task_transfer);
6128 	if(ixfr_fail) {
6129 		xfr->task_transfer->ixfr_fail = 1;
6130 	} else {
6131 		xfr_transfer_nextmaster(xfr);
6132 	}
6133 	xfr_transfer_nexttarget_or_end(xfr, env);
6134 }
6135 
6136 /** callback for the task_transfer timer */
6137 void
6138 auth_xfer_transfer_timer_callback(void* arg)
6139 {
6140 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6141 	struct module_env* env;
6142 	int gonextonfail = 1;
6143 	log_assert(xfr->task_transfer);
6144 	lock_basic_lock(&xfr->lock);
6145 	env = xfr->task_transfer->env;
6146 	if(!env || env->outnet->want_to_quit) {
6147 		lock_basic_unlock(&xfr->lock);
6148 		return; /* stop on quit */
6149 	}
6150 
6151 	verbose(VERB_ALGO, "xfr stopped, connection timeout to %s",
6152 		xfr->task_transfer->master->host);
6153 
6154 	/* see if IXFR caused the failure, if so, try AXFR */
6155 	if(xfr->task_transfer->on_ixfr) {
6156 		xfr->task_transfer->ixfr_possible_timeout_count++;
6157 		if(xfr->task_transfer->ixfr_possible_timeout_count >=
6158 			NUM_TIMEOUTS_FALLBACK_IXFR) {
6159 			verbose(VERB_ALGO, "xfr to %s, fallback "
6160 				"from IXFR to AXFR (because of timeouts)",
6161 				xfr->task_transfer->master->host);
6162 			xfr->task_transfer->ixfr_fail = 1;
6163 			gonextonfail = 0;
6164 		}
6165 	}
6166 
6167 	/* delete transferred data from list */
6168 	auth_chunks_delete(xfr->task_transfer);
6169 	comm_point_delete(xfr->task_transfer->cp);
6170 	xfr->task_transfer->cp = NULL;
6171 	if(gonextonfail)
6172 		xfr_transfer_nextmaster(xfr);
6173 	xfr_transfer_nexttarget_or_end(xfr, env);
6174 }
6175 
6176 /** callback for task_transfer tcp connections */
6177 int
6178 auth_xfer_transfer_tcp_callback(struct comm_point* c, void* arg, int err,
6179 	struct comm_reply* ATTR_UNUSED(repinfo))
6180 {
6181 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6182 	struct module_env* env;
6183 	int gonextonfail = 1;
6184 	int transferdone = 0;
6185 	log_assert(xfr->task_transfer);
6186 	lock_basic_lock(&xfr->lock);
6187 	env = xfr->task_transfer->env;
6188 	if(!env || env->outnet->want_to_quit) {
6189 		lock_basic_unlock(&xfr->lock);
6190 		return 0; /* stop on quit */
6191 	}
6192 	/* stop the timer */
6193 	comm_timer_disable(xfr->task_transfer->timer);
6194 
6195 	if(err != NETEVENT_NOERROR) {
6196 		/* connection failed, closed, or timeout */
6197 		/* stop this transfer, cleanup
6198 		 * and continue task_transfer*/
6199 		verbose(VERB_ALGO, "xfr stopped, connection lost to %s",
6200 			xfr->task_transfer->master->host);
6201 
6202 		/* see if IXFR caused the failure, if so, try AXFR */
6203 		if(xfr->task_transfer->on_ixfr) {
6204 			xfr->task_transfer->ixfr_possible_timeout_count++;
6205 			if(xfr->task_transfer->ixfr_possible_timeout_count >=
6206 				NUM_TIMEOUTS_FALLBACK_IXFR) {
6207 				verbose(VERB_ALGO, "xfr to %s, fallback "
6208 					"from IXFR to AXFR (because of timeouts)",
6209 					xfr->task_transfer->master->host);
6210 				xfr->task_transfer->ixfr_fail = 1;
6211 				gonextonfail = 0;
6212 			}
6213 		}
6214 
6215 	failed:
6216 		/* delete transferred data from list */
6217 		auth_chunks_delete(xfr->task_transfer);
6218 		comm_point_delete(xfr->task_transfer->cp);
6219 		xfr->task_transfer->cp = NULL;
6220 		if(gonextonfail)
6221 			xfr_transfer_nextmaster(xfr);
6222 		xfr_transfer_nexttarget_or_end(xfr, env);
6223 		return 0;
6224 	}
6225 	/* note that IXFR worked without timeout */
6226 	if(xfr->task_transfer->on_ixfr)
6227 		xfr->task_transfer->ixfr_possible_timeout_count = 0;
6228 
6229 	/* handle returned packet */
6230 	/* if it fails, cleanup and end this transfer */
6231 	/* if it needs to fallback from IXFR to AXFR, do that */
6232 	if(!check_xfer_packet(c->buffer, xfr, &gonextonfail, &transferdone)) {
6233 		goto failed;
6234 	}
6235 	/* if it is good, link it into the list of data */
6236 	/* if the link into list of data fails (malloc fail) cleanup and end */
6237 	if(!xfer_link_data(c->buffer, xfr)) {
6238 		verbose(VERB_ALGO, "xfr stopped to %s, malloc failed",
6239 			xfr->task_transfer->master->host);
6240 		goto failed;
6241 	}
6242 	/* if the transfer is done now, disconnect and process the list */
6243 	if(transferdone) {
6244 		comm_point_delete(xfr->task_transfer->cp);
6245 		xfr->task_transfer->cp = NULL;
6246 		process_list_end_transfer(xfr, env);
6247 		return 0;
6248 	}
6249 
6250 	/* if we want to read more messages, setup the commpoint to read
6251 	 * a DNS packet, and the timeout */
6252 	lock_basic_unlock(&xfr->lock);
6253 	c->tcp_is_reading = 1;
6254 	sldns_buffer_clear(c->buffer);
6255 	comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
6256 	return 0;
6257 }
6258 
6259 /** callback for task_transfer http connections */
6260 int
6261 auth_xfer_transfer_http_callback(struct comm_point* c, void* arg, int err,
6262 	struct comm_reply* repinfo)
6263 {
6264 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6265 	struct module_env* env;
6266 	log_assert(xfr->task_transfer);
6267 	lock_basic_lock(&xfr->lock);
6268 	env = xfr->task_transfer->env;
6269 	if(!env || env->outnet->want_to_quit) {
6270 		lock_basic_unlock(&xfr->lock);
6271 		return 0; /* stop on quit */
6272 	}
6273 	verbose(VERB_ALGO, "auth zone transfer http callback");
6274 	/* stop the timer */
6275 	comm_timer_disable(xfr->task_transfer->timer);
6276 
6277 	if(err != NETEVENT_NOERROR && err != NETEVENT_DONE) {
6278 		/* connection failed, closed, or timeout */
6279 		/* stop this transfer, cleanup
6280 		 * and continue task_transfer*/
6281 		verbose(VERB_ALGO, "http stopped, connection lost to %s",
6282 			xfr->task_transfer->master->host);
6283 	failed:
6284 		/* delete transferred data from list */
6285 		auth_chunks_delete(xfr->task_transfer);
6286 		if(repinfo) repinfo->c = NULL; /* signal cp deleted to
6287 				the routine calling this callback */
6288 		comm_point_delete(xfr->task_transfer->cp);
6289 		xfr->task_transfer->cp = NULL;
6290 		xfr_transfer_nextmaster(xfr);
6291 		xfr_transfer_nexttarget_or_end(xfr, env);
6292 		return 0;
6293 	}
6294 
6295 	/* if it is good, link it into the list of data */
6296 	/* if the link into list of data fails (malloc fail) cleanup and end */
6297 	if(sldns_buffer_limit(c->buffer) > 0) {
6298 		verbose(VERB_ALGO, "auth zone http queued up %d bytes",
6299 			(int)sldns_buffer_limit(c->buffer));
6300 		if(!xfer_link_data(c->buffer, xfr)) {
6301 			verbose(VERB_ALGO, "http stopped to %s, malloc failed",
6302 				xfr->task_transfer->master->host);
6303 			goto failed;
6304 		}
6305 	}
6306 	/* if the transfer is done now, disconnect and process the list */
6307 	if(err == NETEVENT_DONE) {
6308 		if(repinfo) repinfo->c = NULL; /* signal cp deleted to
6309 				the routine calling this callback */
6310 		comm_point_delete(xfr->task_transfer->cp);
6311 		xfr->task_transfer->cp = NULL;
6312 		process_list_end_transfer(xfr, env);
6313 		return 0;
6314 	}
6315 
6316 	/* if we want to read more messages, setup the commpoint to read
6317 	 * a DNS packet, and the timeout */
6318 	lock_basic_unlock(&xfr->lock);
6319 	c->tcp_is_reading = 1;
6320 	sldns_buffer_clear(c->buffer);
6321 	comm_point_start_listening(c, -1, AUTH_TRANSFER_TIMEOUT);
6322 	return 0;
6323 }
6324 
6325 
6326 /** start transfer task by this worker , xfr is locked. */
6327 static void
6328 xfr_start_transfer(struct auth_xfer* xfr, struct module_env* env,
6329 	struct auth_master* master)
6330 {
6331 	log_assert(xfr->task_transfer != NULL);
6332 	log_assert(xfr->task_transfer->worker == NULL);
6333 	log_assert(xfr->task_transfer->chunks_first == NULL);
6334 	log_assert(xfr->task_transfer->chunks_last == NULL);
6335 	xfr->task_transfer->worker = env->worker;
6336 	xfr->task_transfer->env = env;
6337 
6338 	/* init transfer process */
6339 	/* find that master in the transfer's list of masters? */
6340 	xfr_transfer_start_list(xfr, master);
6341 	/* start lookup for hostnames in transfer master list */
6342 	xfr_transfer_start_lookups(xfr);
6343 
6344 	/* initiate TCP, and set timeout on it */
6345 	xfr_transfer_nexttarget_or_end(xfr, env);
6346 }
6347 
6348 /** disown task_probe.  caller must hold xfr.lock */
6349 static void
6350 xfr_probe_disown(struct auth_xfer* xfr)
6351 {
6352 	/* remove timer (from this worker's event base) */
6353 	comm_timer_delete(xfr->task_probe->timer);
6354 	xfr->task_probe->timer = NULL;
6355 	/* remove the commpoint */
6356 	comm_point_delete(xfr->task_probe->cp);
6357 	xfr->task_probe->cp = NULL;
6358 	/* we don't own this item anymore */
6359 	xfr->task_probe->worker = NULL;
6360 	xfr->task_probe->env = NULL;
6361 }
6362 
6363 /** send the UDP probe to the master, this is part of task_probe */
6364 static int
6365 xfr_probe_send_probe(struct auth_xfer* xfr, struct module_env* env,
6366 	int timeout)
6367 {
6368 	struct sockaddr_storage addr;
6369 	socklen_t addrlen = 0;
6370 	struct timeval t;
6371 	/* pick master */
6372 	struct auth_master* master = xfr_probe_current_master(xfr);
6373 	char *auth_name = NULL;
6374 	if(!master) return 0;
6375 	if(master->allow_notify) return 0; /* only for notify */
6376 	if(master->http) return 0; /* only masters get SOA UDP probe,
6377 		not urls, if those are in this list */
6378 
6379 	/* get master addr */
6380 	if(xfr->task_probe->scan_addr) {
6381 		addrlen = xfr->task_probe->scan_addr->addrlen;
6382 		memmove(&addr, &xfr->task_probe->scan_addr->addr, addrlen);
6383 	} else {
6384 		if(!authextstrtoaddr(master->host, &addr, &addrlen, &auth_name)) {
6385 			/* the ones that are not in addr format are supposed
6386 			 * to be looked up.  The lookup has failed however,
6387 			 * so skip them */
6388 			char zname[255+1];
6389 			dname_str(xfr->name, zname);
6390 			log_err("%s: failed lookup, cannot probe to master %s",
6391 				zname, master->host);
6392 			return 0;
6393 		}
6394 		if (auth_name != NULL) {
6395 			if (addr.ss_family == AF_INET
6396 			&&  (int)ntohs(((struct sockaddr_in *)&addr)->sin_port)
6397 		            == env->cfg->ssl_port)
6398 				((struct sockaddr_in *)&addr)->sin_port
6399 					= htons((uint16_t)env->cfg->port);
6400 			else if (addr.ss_family == AF_INET6
6401 			&&  (int)ntohs(((struct sockaddr_in6 *)&addr)->sin6_port)
6402 		            == env->cfg->ssl_port)
6403                         	((struct sockaddr_in6 *)&addr)->sin6_port
6404 					= htons((uint16_t)env->cfg->port);
6405 		}
6406 	}
6407 
6408 	/* create packet */
6409 	/* create new ID for new probes, but not on timeout retries,
6410 	 * this means we'll accept replies to previous retries to same ip */
6411 	if(timeout == AUTH_PROBE_TIMEOUT)
6412 		xfr->task_probe->id = GET_RANDOM_ID(env->rnd);
6413 	xfr_create_soa_probe_packet(xfr, env->scratch_buffer,
6414 		xfr->task_probe->id);
6415 	/* we need to remove the cp if we have a different ip4/ip6 type now */
6416 	if(xfr->task_probe->cp &&
6417 		((xfr->task_probe->cp_is_ip6 && !addr_is_ip6(&addr, addrlen)) ||
6418 		(!xfr->task_probe->cp_is_ip6 && addr_is_ip6(&addr, addrlen)))
6419 		) {
6420 		comm_point_delete(xfr->task_probe->cp);
6421 		xfr->task_probe->cp = NULL;
6422 	}
6423 	if(!xfr->task_probe->cp) {
6424 		if(addr_is_ip6(&addr, addrlen))
6425 			xfr->task_probe->cp_is_ip6 = 1;
6426 		else 	xfr->task_probe->cp_is_ip6 = 0;
6427 		xfr->task_probe->cp = outnet_comm_point_for_udp(env->outnet,
6428 			auth_xfer_probe_udp_callback, xfr, &addr, addrlen);
6429 		if(!xfr->task_probe->cp) {
6430 			char zname[255+1], as[256];
6431 			dname_str(xfr->name, zname);
6432 			addr_port_to_str(&addr, addrlen, as, sizeof(as));
6433 			verbose(VERB_ALGO, "cannot create udp cp for "
6434 				"probe %s to %s", zname, as);
6435 			return 0;
6436 		}
6437 	}
6438 	if(!xfr->task_probe->timer) {
6439 		xfr->task_probe->timer = comm_timer_create(env->worker_base,
6440 			auth_xfer_probe_timer_callback, xfr);
6441 		if(!xfr->task_probe->timer) {
6442 			log_err("malloc failure");
6443 			return 0;
6444 		}
6445 	}
6446 
6447 	/* send udp packet */
6448 	if(!comm_point_send_udp_msg(xfr->task_probe->cp, env->scratch_buffer,
6449 		(struct sockaddr*)&addr, addrlen, 0)) {
6450 		char zname[255+1], as[256];
6451 		dname_str(xfr->name, zname);
6452 		addr_port_to_str(&addr, addrlen, as, sizeof(as));
6453 		verbose(VERB_ALGO, "failed to send soa probe for %s to %s",
6454 			zname, as);
6455 		return 0;
6456 	}
6457 	if(verbosity >= VERB_ALGO) {
6458 		char zname[255+1], as[256];
6459 		dname_str(xfr->name, zname);
6460 		addr_port_to_str(&addr, addrlen, as, sizeof(as));
6461 		verbose(VERB_ALGO, "auth zone %s soa probe sent to %s", zname,
6462 			as);
6463 	}
6464 	xfr->task_probe->timeout = timeout;
6465 #ifndef S_SPLINT_S
6466 	t.tv_sec = timeout/1000;
6467 	t.tv_usec = (timeout%1000)*1000;
6468 #endif
6469 	comm_timer_set(xfr->task_probe->timer, &t);
6470 
6471 	return 1;
6472 }
6473 
6474 /** callback for task_probe timer */
6475 void
6476 auth_xfer_probe_timer_callback(void* arg)
6477 {
6478 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6479 	struct module_env* env;
6480 	log_assert(xfr->task_probe);
6481 	lock_basic_lock(&xfr->lock);
6482 	env = xfr->task_probe->env;
6483 	if(!env || env->outnet->want_to_quit) {
6484 		lock_basic_unlock(&xfr->lock);
6485 		return; /* stop on quit */
6486 	}
6487 
6488 	if(verbosity >= VERB_ALGO) {
6489 		char zname[255+1];
6490 		dname_str(xfr->name, zname);
6491 		verbose(VERB_ALGO, "auth zone %s soa probe timeout", zname);
6492 	}
6493 	if(xfr->task_probe->timeout <= AUTH_PROBE_TIMEOUT_STOP) {
6494 		/* try again with bigger timeout */
6495 		if(xfr_probe_send_probe(xfr, env, xfr->task_probe->timeout*2)) {
6496 			lock_basic_unlock(&xfr->lock);
6497 			return;
6498 		}
6499 	}
6500 	/* delete commpoint so a new one is created, with a fresh port nr */
6501 	comm_point_delete(xfr->task_probe->cp);
6502 	xfr->task_probe->cp = NULL;
6503 
6504 	/* too many timeouts (or fail to send), move to next or end */
6505 	xfr_probe_nextmaster(xfr);
6506 	xfr_probe_send_or_end(xfr, env);
6507 }
6508 
6509 /** callback for task_probe udp packets */
6510 int
6511 auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
6512 	struct comm_reply* repinfo)
6513 {
6514 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6515 	struct module_env* env;
6516 	log_assert(xfr->task_probe);
6517 	lock_basic_lock(&xfr->lock);
6518 	env = xfr->task_probe->env;
6519 	if(!env || env->outnet->want_to_quit) {
6520 		lock_basic_unlock(&xfr->lock);
6521 		return 0; /* stop on quit */
6522 	}
6523 
6524 	/* the comm_point_udp_callback is in a for loop for NUM_UDP_PER_SELECT
6525 	 * and we set rep.c=NULL to stop if from looking inside the commpoint*/
6526 	repinfo->c = NULL;
6527 	/* stop the timer */
6528 	comm_timer_disable(xfr->task_probe->timer);
6529 
6530 	/* see if we got a packet and what that means */
6531 	if(err == NETEVENT_NOERROR) {
6532 		uint32_t serial = 0;
6533 		if(check_packet_ok(c->buffer, LDNS_RR_TYPE_SOA, xfr,
6534 			&serial)) {
6535 			/* successful lookup */
6536 			if(verbosity >= VERB_ALGO) {
6537 				char buf[256];
6538 				dname_str(xfr->name, buf);
6539 				verbose(VERB_ALGO, "auth zone %s: soa probe "
6540 					"serial is %u", buf, (unsigned)serial);
6541 			}
6542 			/* see if this serial indicates that the zone has
6543 			 * to be updated */
6544 			if(xfr_serial_means_update(xfr, serial)) {
6545 				/* if updated, start the transfer task, if needed */
6546 				verbose(VERB_ALGO, "auth_zone updated, start transfer");
6547 				if(xfr->task_transfer->worker == NULL) {
6548 					struct auth_master* master =
6549 						xfr_probe_current_master(xfr);
6550 					/* if we have download URLs use them
6551 					 * in preference to this master we
6552 					 * just probed the SOA from */
6553 					if(xfr->task_transfer->masters &&
6554 						xfr->task_transfer->masters->http)
6555 						master = NULL;
6556 					xfr_probe_disown(xfr);
6557 					xfr_start_transfer(xfr, env, master);
6558 					return 0;
6559 
6560 				}
6561 				/* other tasks are running, we don't do this anymore */
6562 				xfr_probe_disown(xfr);
6563 				lock_basic_unlock(&xfr->lock);
6564 				/* return, we don't sent a reply to this udp packet,
6565 				 * and we setup the tasks to do next */
6566 				return 0;
6567 			} else {
6568 				verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial");
6569 				/* we if cannot find updates amongst the
6570 				 * masters, this means we then have a new lease
6571 				 * on the zone */
6572 				xfr->task_probe->have_new_lease = 1;
6573 			}
6574 		} else {
6575 			if(verbosity >= VERB_ALGO) {
6576 				char buf[256];
6577 				dname_str(xfr->name, buf);
6578 				verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf);
6579 			}
6580 		}
6581 	} else {
6582 		if(verbosity >= VERB_ALGO) {
6583 			char buf[256];
6584 			dname_str(xfr->name, buf);
6585 			verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf);
6586 		}
6587 	}
6588 
6589 	/* failed lookup or not an update */
6590 	/* delete commpoint so a new one is created, with a fresh port nr */
6591 	comm_point_delete(xfr->task_probe->cp);
6592 	xfr->task_probe->cp = NULL;
6593 
6594 	/* if the result was not a successful probe, we need
6595 	 * to send the next one */
6596 	xfr_probe_nextmaster(xfr);
6597 	xfr_probe_send_or_end(xfr, env);
6598 	return 0;
6599 }
6600 
6601 /** lookup a host name for its addresses, if needed */
6602 static int
6603 xfr_probe_lookup_host(struct auth_xfer* xfr, struct module_env* env)
6604 {
6605 	struct sockaddr_storage addr;
6606 	socklen_t addrlen = 0;
6607 	struct auth_master* master = xfr->task_probe->lookup_target;
6608 	struct query_info qinfo;
6609 	uint16_t qflags = BIT_RD;
6610 	uint8_t dname[LDNS_MAX_DOMAINLEN+1];
6611 	struct edns_data edns;
6612 	sldns_buffer* buf = env->scratch_buffer;
6613 	if(!master) return 0;
6614 	if(extstrtoaddr(master->host, &addr, &addrlen, UNBOUND_DNS_PORT)) {
6615 		/* not needed, host is in IP addr format */
6616 		return 0;
6617 	}
6618 	if(master->allow_notify && !master->http &&
6619 		strchr(master->host, '/') != NULL &&
6620 		strchr(master->host, '/') == strrchr(master->host, '/')) {
6621 		return 0; /* is IP/prefix format, not something to look up */
6622 	}
6623 
6624 	/* use mesh_new_callback to probe for non-addr hosts,
6625 	 * and then wait for them to be looked up (in cache, or query) */
6626 	qinfo.qname_len = sizeof(dname);
6627 	if(sldns_str2wire_dname_buf(master->host, dname, &qinfo.qname_len)
6628 		!= 0) {
6629 		log_err("cannot parse host name of master %s", master->host);
6630 		return 0;
6631 	}
6632 	qinfo.qname = dname;
6633 	qinfo.qclass = xfr->dclass;
6634 	qinfo.qtype = LDNS_RR_TYPE_A;
6635 	if(xfr->task_probe->lookup_aaaa)
6636 		qinfo.qtype = LDNS_RR_TYPE_AAAA;
6637 	qinfo.local_alias = NULL;
6638 	if(verbosity >= VERB_ALGO) {
6639 		char buf1[512];
6640 		char buf2[LDNS_MAX_DOMAINLEN+1];
6641 		dname_str(xfr->name, buf2);
6642 		snprintf(buf1, sizeof(buf1), "auth zone %s: master lookup"
6643 			" for task_probe", buf2);
6644 		log_query_info(VERB_ALGO, buf1, &qinfo);
6645 	}
6646 	edns.edns_present = 1;
6647 	edns.ext_rcode = 0;
6648 	edns.edns_version = 0;
6649 	edns.bits = EDNS_DO;
6650 	edns.opt_list_in = NULL;
6651 	edns.opt_list_out = NULL;
6652 	edns.opt_list_inplace_cb_out = NULL;
6653 	edns.padding_block_size = 0;
6654 	edns.cookie_present = 0;
6655 	edns.cookie_valid = 0;
6656 	if(sldns_buffer_capacity(buf) < 65535)
6657 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
6658 	else	edns.udp_size = 65535;
6659 
6660 	/* unlock xfr during mesh_new_callback() because the callback can be
6661 	 * called straight away */
6662 	lock_basic_unlock(&xfr->lock);
6663 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
6664 		&auth_xfer_probe_lookup_callback, xfr, 0)) {
6665 		lock_basic_lock(&xfr->lock);
6666 		log_err("out of memory lookup up master %s", master->host);
6667 		return 0;
6668 	}
6669 	lock_basic_lock(&xfr->lock);
6670 	return 1;
6671 }
6672 
6673 /** move to sending the probe packets, next if fails. task_probe */
6674 static void
6675 xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
6676 {
6677 	/* are we doing hostname lookups? */
6678 	while(xfr->task_probe->lookup_target) {
6679 		if(xfr_probe_lookup_host(xfr, env)) {
6680 			/* wait for lookup to finish,
6681 			 * note that the hostname may be in unbound's cache
6682 			 * and we may then get an instant cache response,
6683 			 * and that calls the callback just like a full
6684 			 * lookup and lookup failures also call callback */
6685 			if(verbosity >= VERB_ALGO) {
6686 				char zname[255+1];
6687 				dname_str(xfr->name, zname);
6688 				verbose(VERB_ALGO, "auth zone %s probe next target lookup", zname);
6689 			}
6690 			lock_basic_unlock(&xfr->lock);
6691 			return;
6692 		}
6693 		xfr_probe_move_to_next_lookup(xfr, env);
6694 	}
6695 	/* probe of list has ended.  Create or refresh the list of of
6696 	 * allow_notify addrs */
6697 	probe_copy_masters_for_allow_notify(xfr);
6698 	if(verbosity >= VERB_ALGO) {
6699 		char zname[255+1];
6700 		dname_str(xfr->name, zname);
6701 		verbose(VERB_ALGO, "auth zone %s probe: notify addrs updated", zname);
6702 	}
6703 	if(xfr->task_probe->only_lookup) {
6704 		/* only wanted lookups for copy, stop probe and start wait */
6705 		xfr->task_probe->only_lookup = 0;
6706 		if(verbosity >= VERB_ALGO) {
6707 			char zname[255+1];
6708 			dname_str(xfr->name, zname);
6709 			verbose(VERB_ALGO, "auth zone %s probe: finished only_lookup", zname);
6710 		}
6711 		xfr_probe_disown(xfr);
6712 		if(xfr->task_nextprobe->worker == NULL)
6713 			xfr_set_timeout(xfr, env, 0, 0);
6714 		lock_basic_unlock(&xfr->lock);
6715 		return;
6716 	}
6717 
6718 	/* send probe packets */
6719 	while(!xfr_probe_end_of_list(xfr)) {
6720 		if(xfr_probe_send_probe(xfr, env, AUTH_PROBE_TIMEOUT)) {
6721 			/* successfully sent probe, wait for callback */
6722 			lock_basic_unlock(&xfr->lock);
6723 			return;
6724 		}
6725 		/* failed to send probe, next master */
6726 		xfr_probe_nextmaster(xfr);
6727 	}
6728 
6729 	/* done with probe sequence, wait */
6730 	if(xfr->task_probe->have_new_lease) {
6731 		/* if zone not updated, start the wait timer again */
6732 		if(verbosity >= VERB_ALGO) {
6733 			char zname[255+1];
6734 			dname_str(xfr->name, zname);
6735 			verbose(VERB_ALGO, "auth_zone %s unchanged, new lease, wait", zname);
6736 		}
6737 		xfr_probe_disown(xfr);
6738 		if(xfr->have_zone)
6739 			xfr->lease_time = *env->now;
6740 		if(xfr->task_nextprobe->worker == NULL)
6741 			xfr_set_timeout(xfr, env, 0, 0);
6742 	} else {
6743 		if(verbosity >= VERB_ALGO) {
6744 			char zname[255+1];
6745 			dname_str(xfr->name, zname);
6746 			verbose(VERB_ALGO, "auth zone %s soa probe failed, wait to retry", zname);
6747 		}
6748 		/* we failed to send this as well, move to the wait task,
6749 		 * use the shorter retry timeout */
6750 		xfr_probe_disown(xfr);
6751 		/* pick up the nextprobe task and wait */
6752 		if(xfr->task_nextprobe->worker == NULL)
6753 			xfr_set_timeout(xfr, env, 1, 0);
6754 	}
6755 
6756 	lock_basic_unlock(&xfr->lock);
6757 }
6758 
6759 /** callback for task_probe lookup of host name, of A or AAAA */
6760 void auth_xfer_probe_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
6761 	enum sec_status ATTR_UNUSED(sec), char* ATTR_UNUSED(why_bogus),
6762 	int ATTR_UNUSED(was_ratelimited))
6763 {
6764 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6765 	struct module_env* env;
6766 	log_assert(xfr->task_probe);
6767 	lock_basic_lock(&xfr->lock);
6768 	env = xfr->task_probe->env;
6769 	if(!env || env->outnet->want_to_quit) {
6770 		lock_basic_unlock(&xfr->lock);
6771 		return; /* stop on quit */
6772 	}
6773 
6774 	/* process result */
6775 	if(rcode == LDNS_RCODE_NOERROR) {
6776 		uint16_t wanted_qtype = LDNS_RR_TYPE_A;
6777 		struct regional* temp = env->scratch;
6778 		struct query_info rq;
6779 		struct reply_info* rep;
6780 		if(xfr->task_probe->lookup_aaaa)
6781 			wanted_qtype = LDNS_RR_TYPE_AAAA;
6782 		memset(&rq, 0, sizeof(rq));
6783 		rep = parse_reply_in_temp_region(buf, temp, &rq);
6784 		if(rep && rq.qtype == wanted_qtype &&
6785 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
6786 			/* parsed successfully */
6787 			struct ub_packed_rrset_key* answer =
6788 				reply_find_answer_rrset(&rq, rep);
6789 			if(answer) {
6790 				xfr_master_add_addrs(xfr->task_probe->
6791 					lookup_target, answer, wanted_qtype);
6792 			} else {
6793 				if(verbosity >= VERB_ALGO) {
6794 					char zname[255+1];
6795 					dname_str(xfr->name, zname);
6796 					verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has nodata", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6797 				}
6798 			}
6799 		} else {
6800 			if(verbosity >= VERB_ALGO) {
6801 				char zname[255+1];
6802 				dname_str(xfr->name, zname);
6803 				verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup has no address", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6804 			}
6805 		}
6806 		regional_free_all(temp);
6807 	} else {
6808 		if(verbosity >= VERB_ALGO) {
6809 			char zname[255+1];
6810 			dname_str(xfr->name, zname);
6811 			verbose(VERB_ALGO, "auth zone %s host %s type %s probe lookup failed", zname, xfr->task_probe->lookup_target->host, (xfr->task_probe->lookup_aaaa?"AAAA":"A"));
6812 		}
6813 	}
6814 	if(xfr->task_probe->lookup_target->list &&
6815 		xfr->task_probe->lookup_target == xfr_probe_current_master(xfr))
6816 		xfr->task_probe->scan_addr = xfr->task_probe->lookup_target->list;
6817 
6818 	/* move to lookup AAAA after A lookup, move to next hostname lookup,
6819 	 * or move to send the probes, or, if nothing to do, end task_probe */
6820 	xfr_probe_move_to_next_lookup(xfr, env);
6821 	xfr_probe_send_or_end(xfr, env);
6822 }
6823 
6824 /** disown task_nextprobe.  caller must hold xfr.lock */
6825 static void
6826 xfr_nextprobe_disown(struct auth_xfer* xfr)
6827 {
6828 	/* delete the timer, because the next worker to pick this up may
6829 	 * not have the same event base */
6830 	comm_timer_delete(xfr->task_nextprobe->timer);
6831 	xfr->task_nextprobe->timer = NULL;
6832 	xfr->task_nextprobe->next_probe = 0;
6833 	/* we don't own this item anymore */
6834 	xfr->task_nextprobe->worker = NULL;
6835 	xfr->task_nextprobe->env = NULL;
6836 }
6837 
6838 /** xfer nextprobe timeout callback, this is part of task_nextprobe */
6839 void
6840 auth_xfer_timer(void* arg)
6841 {
6842 	struct auth_xfer* xfr = (struct auth_xfer*)arg;
6843 	struct module_env* env;
6844 	log_assert(xfr->task_nextprobe);
6845 	lock_basic_lock(&xfr->lock);
6846 	env = xfr->task_nextprobe->env;
6847 	if(!env || env->outnet->want_to_quit) {
6848 		lock_basic_unlock(&xfr->lock);
6849 		return; /* stop on quit */
6850 	}
6851 
6852 	/* see if zone has expired, and if so, also set auth_zone expired */
6853 	if(xfr->have_zone && !xfr->zone_expired &&
6854 	   *env->now >= xfr->lease_time + xfr->expiry) {
6855 		lock_basic_unlock(&xfr->lock);
6856 		auth_xfer_set_expired(xfr, env, 1);
6857 		lock_basic_lock(&xfr->lock);
6858 	}
6859 
6860 	xfr_nextprobe_disown(xfr);
6861 
6862 	if(!xfr_start_probe(xfr, env, NULL)) {
6863 		/* not started because already in progress */
6864 		lock_basic_unlock(&xfr->lock);
6865 	}
6866 }
6867 
6868 /** return true if there are probe (SOA UDP query) targets in the master list*/
6869 static int
6870 have_probe_targets(struct auth_master* list)
6871 {
6872 	struct auth_master* p;
6873 	for(p=list; p; p = p->next) {
6874 		if(!p->allow_notify && p->host)
6875 			return 1;
6876 	}
6877 	return 0;
6878 }
6879 
6880 /** start task_probe if possible, if no masters for probe start task_transfer
6881  * returns true if task has been started, and false if the task is already
6882  * in progress. */
6883 static int
6884 xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
6885 	struct auth_master* spec)
6886 {
6887 	/* see if we need to start a probe (or maybe it is already in
6888 	 * progress (due to notify)) */
6889 	if(xfr->task_probe->worker == NULL) {
6890 		if(!have_probe_targets(xfr->task_probe->masters) &&
6891 			!(xfr->task_probe->only_lookup &&
6892 			xfr->task_probe->masters != NULL)) {
6893 			/* useless to pick up task_probe, no masters to
6894 			 * probe. Instead attempt to pick up task transfer */
6895 			if(xfr->task_transfer->worker == NULL) {
6896 				xfr_start_transfer(xfr, env, spec);
6897 				return 1;
6898 			}
6899 			/* task transfer already in progress */
6900 			return 0;
6901 		}
6902 
6903 		/* pick up the probe task ourselves */
6904 		xfr->task_probe->worker = env->worker;
6905 		xfr->task_probe->env = env;
6906 		xfr->task_probe->cp = NULL;
6907 
6908 		/* start the task */
6909 		/* have not seen a new lease yet, this scan */
6910 		xfr->task_probe->have_new_lease = 0;
6911 		/* if this was a timeout, no specific first master to scan */
6912 		/* otherwise, spec is nonNULL the notified master, scan
6913 		 * first and also transfer first from it */
6914 		xfr_probe_start_list(xfr, spec);
6915 		/* setup to start the lookup of hostnames of masters afresh */
6916 		xfr_probe_start_lookups(xfr);
6917 		/* send the probe packet or next send, or end task */
6918 		xfr_probe_send_or_end(xfr, env);
6919 		return 1;
6920 	}
6921 	return 0;
6922 }
6923 
6924 /** for task_nextprobe.
6925  * determine next timeout for auth_xfer. Also (re)sets timer.
6926  * @param xfr: task structure
6927  * @param env: module environment, with worker and time.
6928  * @param failure: set true if timer should be set for failure retry.
6929  * @param lookup_only: only perform lookups when timer done, 0 sec timeout
6930  */
6931 static void
6932 xfr_set_timeout(struct auth_xfer* xfr, struct module_env* env,
6933 	int failure, int lookup_only)
6934 {
6935 	struct timeval tv;
6936 	log_assert(xfr->task_nextprobe != NULL);
6937 	log_assert(xfr->task_nextprobe->worker == NULL ||
6938 		xfr->task_nextprobe->worker == env->worker);
6939 	/* normally, nextprobe = startoflease + refresh,
6940 	 * but if expiry is sooner, use that one.
6941 	 * after a failure, use the retry timer instead. */
6942 	xfr->task_nextprobe->next_probe = *env->now;
6943 	if(xfr->lease_time && !failure)
6944 		xfr->task_nextprobe->next_probe = xfr->lease_time;
6945 
6946 	if(!failure) {
6947 		xfr->task_nextprobe->backoff = 0;
6948 	} else {
6949 		if(xfr->task_nextprobe->backoff == 0)
6950 				xfr->task_nextprobe->backoff = 3;
6951 		else	xfr->task_nextprobe->backoff *= 2;
6952 		if(xfr->task_nextprobe->backoff > AUTH_TRANSFER_MAX_BACKOFF)
6953 			xfr->task_nextprobe->backoff =
6954 				AUTH_TRANSFER_MAX_BACKOFF;
6955 	}
6956 
6957 	if(xfr->have_zone) {
6958 		time_t wait = xfr->refresh;
6959 		if(failure) wait = xfr->retry;
6960 		if(xfr->expiry < wait)
6961 			xfr->task_nextprobe->next_probe += xfr->expiry;
6962 		else	xfr->task_nextprobe->next_probe += wait;
6963 		if(failure)
6964 			xfr->task_nextprobe->next_probe +=
6965 				xfr->task_nextprobe->backoff;
6966 		/* put the timer exactly on expiry, if possible */
6967 		if(xfr->lease_time && xfr->lease_time+xfr->expiry <
6968 			xfr->task_nextprobe->next_probe &&
6969 			xfr->lease_time+xfr->expiry > *env->now)
6970 			xfr->task_nextprobe->next_probe =
6971 				xfr->lease_time+xfr->expiry;
6972 	} else {
6973 		xfr->task_nextprobe->next_probe +=
6974 			xfr->task_nextprobe->backoff;
6975 	}
6976 
6977 	if(!xfr->task_nextprobe->timer) {
6978 		xfr->task_nextprobe->timer = comm_timer_create(
6979 			env->worker_base, auth_xfer_timer, xfr);
6980 		if(!xfr->task_nextprobe->timer) {
6981 			/* failed to malloc memory. likely zone transfer
6982 			 * also fails for that. skip the timeout */
6983 			char zname[255+1];
6984 			dname_str(xfr->name, zname);
6985 			log_err("cannot allocate timer, no refresh for %s",
6986 				zname);
6987 			return;
6988 		}
6989 	}
6990 	xfr->task_nextprobe->worker = env->worker;
6991 	xfr->task_nextprobe->env = env;
6992 	if(*(xfr->task_nextprobe->env->now) <= xfr->task_nextprobe->next_probe)
6993 		tv.tv_sec = xfr->task_nextprobe->next_probe -
6994 			*(xfr->task_nextprobe->env->now);
6995 	else	tv.tv_sec = 0;
6996 	if(tv.tv_sec != 0 && lookup_only && xfr->task_probe->masters) {
6997 		/* don't lookup_only, if lookup timeout is 0 anyway,
6998 		 * or if we don't have masters to lookup */
6999 		tv.tv_sec = 0;
7000 		if(xfr->task_probe->worker == NULL)
7001 			xfr->task_probe->only_lookup = 1;
7002 	}
7003 	if(verbosity >= VERB_ALGO) {
7004 		char zname[255+1];
7005 		dname_str(xfr->name, zname);
7006 		verbose(VERB_ALGO, "auth zone %s timeout in %d seconds",
7007 			zname, (int)tv.tv_sec);
7008 	}
7009 	tv.tv_usec = 0;
7010 	comm_timer_set(xfr->task_nextprobe->timer, &tv);
7011 }
7012 
7013 /** initial pick up of worker timeouts, ties events to worker event loop */
7014 void
7015 auth_xfer_pickup_initial(struct auth_zones* az, struct module_env* env)
7016 {
7017 	struct auth_xfer* x;
7018 	lock_rw_wrlock(&az->lock);
7019 	RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
7020 		lock_basic_lock(&x->lock);
7021 		/* set lease_time, because we now have timestamp in env,
7022 		 * (not earlier during startup and apply_cfg), and this
7023 		 * notes the start time when the data was acquired */
7024 		if(x->have_zone)
7025 			x->lease_time = *env->now;
7026 		if(x->task_nextprobe && x->task_nextprobe->worker == NULL) {
7027 			xfr_set_timeout(x, env, 0, 1);
7028 		}
7029 		lock_basic_unlock(&x->lock);
7030 	}
7031 	lock_rw_unlock(&az->lock);
7032 }
7033 
7034 void auth_zones_cleanup(struct auth_zones* az)
7035 {
7036 	struct auth_xfer* x;
7037 	lock_rw_wrlock(&az->lock);
7038 	RBTREE_FOR(x, struct auth_xfer*, &az->xtree) {
7039 		lock_basic_lock(&x->lock);
7040 		if(x->task_nextprobe && x->task_nextprobe->worker != NULL) {
7041 			xfr_nextprobe_disown(x);
7042 		}
7043 		if(x->task_probe && x->task_probe->worker != NULL) {
7044 			xfr_probe_disown(x);
7045 		}
7046 		if(x->task_transfer && x->task_transfer->worker != NULL) {
7047 			auth_chunks_delete(x->task_transfer);
7048 			xfr_transfer_disown(x);
7049 		}
7050 		lock_basic_unlock(&x->lock);
7051 	}
7052 	lock_rw_unlock(&az->lock);
7053 }
7054 
7055 /**
7056  * malloc the xfer and tasks
7057  * @param z: auth_zone with name of zone.
7058  */
7059 static struct auth_xfer*
7060 auth_xfer_new(struct auth_zone* z)
7061 {
7062 	struct auth_xfer* xfr;
7063 	xfr = (struct auth_xfer*)calloc(1, sizeof(*xfr));
7064 	if(!xfr) return NULL;
7065 	xfr->name = memdup(z->name, z->namelen);
7066 	if(!xfr->name) {
7067 		free(xfr);
7068 		return NULL;
7069 	}
7070 	xfr->node.key = xfr;
7071 	xfr->namelen = z->namelen;
7072 	xfr->namelabs = z->namelabs;
7073 	xfr->dclass = z->dclass;
7074 
7075 	xfr->task_nextprobe = (struct auth_nextprobe*)calloc(1,
7076 		sizeof(struct auth_nextprobe));
7077 	if(!xfr->task_nextprobe) {
7078 		free(xfr->name);
7079 		free(xfr);
7080 		return NULL;
7081 	}
7082 	xfr->task_probe = (struct auth_probe*)calloc(1,
7083 		sizeof(struct auth_probe));
7084 	if(!xfr->task_probe) {
7085 		free(xfr->task_nextprobe);
7086 		free(xfr->name);
7087 		free(xfr);
7088 		return NULL;
7089 	}
7090 	xfr->task_transfer = (struct auth_transfer*)calloc(1,
7091 		sizeof(struct auth_transfer));
7092 	if(!xfr->task_transfer) {
7093 		free(xfr->task_probe);
7094 		free(xfr->task_nextprobe);
7095 		free(xfr->name);
7096 		free(xfr);
7097 		return NULL;
7098 	}
7099 
7100 	lock_basic_init(&xfr->lock);
7101 	lock_protect(&xfr->lock, &xfr->name, sizeof(xfr->name));
7102 	lock_protect(&xfr->lock, &xfr->namelen, sizeof(xfr->namelen));
7103 	lock_protect(&xfr->lock, xfr->name, xfr->namelen);
7104 	lock_protect(&xfr->lock, &xfr->namelabs, sizeof(xfr->namelabs));
7105 	lock_protect(&xfr->lock, &xfr->dclass, sizeof(xfr->dclass));
7106 	lock_protect(&xfr->lock, &xfr->notify_received, sizeof(xfr->notify_received));
7107 	lock_protect(&xfr->lock, &xfr->notify_serial, sizeof(xfr->notify_serial));
7108 	lock_protect(&xfr->lock, &xfr->zone_expired, sizeof(xfr->zone_expired));
7109 	lock_protect(&xfr->lock, &xfr->have_zone, sizeof(xfr->have_zone));
7110 	lock_protect(&xfr->lock, &xfr->serial, sizeof(xfr->serial));
7111 	lock_protect(&xfr->lock, &xfr->retry, sizeof(xfr->retry));
7112 	lock_protect(&xfr->lock, &xfr->refresh, sizeof(xfr->refresh));
7113 	lock_protect(&xfr->lock, &xfr->expiry, sizeof(xfr->expiry));
7114 	lock_protect(&xfr->lock, &xfr->lease_time, sizeof(xfr->lease_time));
7115 	lock_protect(&xfr->lock, &xfr->task_nextprobe->worker,
7116 		sizeof(xfr->task_nextprobe->worker));
7117 	lock_protect(&xfr->lock, &xfr->task_probe->worker,
7118 		sizeof(xfr->task_probe->worker));
7119 	lock_protect(&xfr->lock, &xfr->task_transfer->worker,
7120 		sizeof(xfr->task_transfer->worker));
7121 	lock_basic_lock(&xfr->lock);
7122 	return xfr;
7123 }
7124 
7125 /** Create auth_xfer structure.
7126  * This populates the have_zone, soa values, and so on times.
7127  * and sets the timeout, if a zone transfer is needed a short timeout is set.
7128  * For that the auth_zone itself must exist (and read in zonefile)
7129  * returns false on alloc failure. */
7130 struct auth_xfer*
7131 auth_xfer_create(struct auth_zones* az, struct auth_zone* z)
7132 {
7133 	struct auth_xfer* xfr;
7134 
7135 	/* malloc it */
7136 	xfr = auth_xfer_new(z);
7137 	if(!xfr) {
7138 		log_err("malloc failure");
7139 		return NULL;
7140 	}
7141 	/* insert in tree */
7142 	(void)rbtree_insert(&az->xtree, &xfr->node);
7143 	return xfr;
7144 }
7145 
7146 /** create new auth_master structure */
7147 static struct auth_master*
7148 auth_master_new(struct auth_master*** list)
7149 {
7150 	struct auth_master *m;
7151 	m = (struct auth_master*)calloc(1, sizeof(*m));
7152 	if(!m) {
7153 		log_err("malloc failure");
7154 		return NULL;
7155 	}
7156 	/* set first pointer to m, or next pointer of previous element to m */
7157 	(**list) = m;
7158 	/* store m's next pointer as future point to store at */
7159 	(*list) = &(m->next);
7160 	return m;
7161 }
7162 
7163 /** dup_prefix : create string from initial part of other string, malloced */
7164 static char*
7165 dup_prefix(char* str, size_t num)
7166 {
7167 	char* result;
7168 	size_t len = strlen(str);
7169 	if(len < num) num = len; /* not more than strlen */
7170 	result = (char*)malloc(num+1);
7171 	if(!result) {
7172 		log_err("malloc failure");
7173 		return result;
7174 	}
7175 	memmove(result, str, num);
7176 	result[num] = 0;
7177 	return result;
7178 }
7179 
7180 /** dup string and print error on error */
7181 static char*
7182 dup_all(char* str)
7183 {
7184 	char* result = strdup(str);
7185 	if(!result) {
7186 		log_err("malloc failure");
7187 		return NULL;
7188 	}
7189 	return result;
7190 }
7191 
7192 /** find first of two characters */
7193 static char*
7194 str_find_first_of_chars(char* s, char a, char b)
7195 {
7196 	char* ra = strchr(s, a);
7197 	char* rb = strchr(s, b);
7198 	if(!ra) return rb;
7199 	if(!rb) return ra;
7200 	if(ra < rb) return ra;
7201 	return rb;
7202 }
7203 
7204 /** parse URL into host and file parts, false on malloc or parse error */
7205 static int
7206 parse_url(char* url, char** host, char** file, int* port, int* ssl)
7207 {
7208 	char* p = url;
7209 	/* parse http://www.example.com/file.htm
7210 	 * or http://127.0.0.1   (index.html)
7211 	 * or https://[::1@1234]/a/b/c/d */
7212 	*ssl = 1;
7213 	*port = AUTH_HTTPS_PORT;
7214 
7215 	/* parse http:// or https:// */
7216 	if(strncmp(p, "http://", 7) == 0) {
7217 		p += 7;
7218 		*ssl = 0;
7219 		*port = AUTH_HTTP_PORT;
7220 	} else if(strncmp(p, "https://", 8) == 0) {
7221 		p += 8;
7222 	} else if(strstr(p, "://") && strchr(p, '/') > strstr(p, "://") &&
7223 		strchr(p, ':') >= strstr(p, "://")) {
7224 		char* uri = dup_prefix(p, (size_t)(strstr(p, "://")-p));
7225 		log_err("protocol %s:// not supported (for url %s)",
7226 			uri?uri:"", p);
7227 		free(uri);
7228 		return 0;
7229 	}
7230 
7231 	/* parse hostname part */
7232 	if(p[0] == '[') {
7233 		char* end = strchr(p, ']');
7234 		p++; /* skip over [ */
7235 		if(end) {
7236 			*host = dup_prefix(p, (size_t)(end-p));
7237 			if(!*host) return 0;
7238 			p = end+1; /* skip over ] */
7239 		} else {
7240 			*host = dup_all(p);
7241 			if(!*host) return 0;
7242 			p = end;
7243 		}
7244 	} else {
7245 		char* end = str_find_first_of_chars(p, ':', '/');
7246 		if(end) {
7247 			*host = dup_prefix(p, (size_t)(end-p));
7248 			if(!*host) return 0;
7249 		} else {
7250 			*host = dup_all(p);
7251 			if(!*host) return 0;
7252 		}
7253 		p = end; /* at next : or / or NULL */
7254 	}
7255 
7256 	/* parse port number */
7257 	if(p && p[0] == ':') {
7258 		char* end = NULL;
7259 		*port = strtol(p+1, &end, 10);
7260 		p = end;
7261 	}
7262 
7263 	/* parse filename part */
7264 	while(p && *p == '/')
7265 		p++;
7266 	if(!p || p[0] == 0)
7267 		*file = strdup("/");
7268 	else	*file = strdup(p);
7269 	if(!*file) {
7270 		log_err("malloc failure");
7271 		return 0;
7272 	}
7273 	return 1;
7274 }
7275 
7276 int
7277 xfer_set_masters(struct auth_master** list, struct config_auth* c,
7278 	int with_http)
7279 {
7280 	struct auth_master* m;
7281 	struct config_strlist* p;
7282 	/* list points to the first, or next pointer for the new element */
7283 	while(*list) {
7284 		list = &( (*list)->next );
7285 	}
7286 	if(with_http)
7287 	  for(p = c->urls; p; p = p->next) {
7288 		m = auth_master_new(&list);
7289 		if(!m) return 0;
7290 		m->http = 1;
7291 		if(!parse_url(p->str, &m->host, &m->file, &m->port, &m->ssl))
7292 			return 0;
7293 	}
7294 	for(p = c->masters; p; p = p->next) {
7295 		m = auth_master_new(&list);
7296 		if(!m) return 0;
7297 		m->ixfr = 1; /* this flag is not configurable */
7298 		m->host = strdup(p->str);
7299 		if(!m->host) {
7300 			log_err("malloc failure");
7301 			return 0;
7302 		}
7303 	}
7304 	for(p = c->allow_notify; p; p = p->next) {
7305 		m = auth_master_new(&list);
7306 		if(!m) return 0;
7307 		m->allow_notify = 1;
7308 		m->host = strdup(p->str);
7309 		if(!m->host) {
7310 			log_err("malloc failure");
7311 			return 0;
7312 		}
7313 	}
7314 	return 1;
7315 }
7316 
7317 #define SERIAL_BITS	32
7318 int
7319 compare_serial(uint32_t a, uint32_t b)
7320 {
7321 	const uint32_t cutoff = ((uint32_t) 1 << (SERIAL_BITS - 1));
7322 
7323 	if (a == b) {
7324 		return 0;
7325 	} else if ((a < b && b - a < cutoff) || (a > b && a - b > cutoff)) {
7326 		return -1;
7327 	} else {
7328 		return 1;
7329 	}
7330 }
7331 
7332 int zonemd_hashalgo_supported(int hashalgo)
7333 {
7334 	if(hashalgo == ZONEMD_ALGO_SHA384) return 1;
7335 	if(hashalgo == ZONEMD_ALGO_SHA512) return 1;
7336 	return 0;
7337 }
7338 
7339 int zonemd_scheme_supported(int scheme)
7340 {
7341 	if(scheme == ZONEMD_SCHEME_SIMPLE) return 1;
7342 	return 0;
7343 }
7344 
7345 /** initialize hash for hashing with zonemd hash algo */
7346 static struct secalgo_hash* zonemd_digest_init(int hashalgo, char** reason)
7347 {
7348 	struct secalgo_hash *h;
7349 	if(hashalgo == ZONEMD_ALGO_SHA384) {
7350 		/* sha384 */
7351 		h = secalgo_hash_create_sha384();
7352 		if(!h)
7353 			*reason = "digest sha384 could not be created";
7354 		return h;
7355 	} else if(hashalgo == ZONEMD_ALGO_SHA512) {
7356 		/* sha512 */
7357 		h = secalgo_hash_create_sha512();
7358 		if(!h)
7359 			*reason = "digest sha512 could not be created";
7360 		return h;
7361 	}
7362 	/* unknown hash algo */
7363 	*reason = "unsupported algorithm";
7364 	return NULL;
7365 }
7366 
7367 /** update the hash for zonemd */
7368 static int zonemd_digest_update(int hashalgo, struct secalgo_hash* h,
7369 	uint8_t* data, size_t len, char** reason)
7370 {
7371 	if(hashalgo == ZONEMD_ALGO_SHA384) {
7372 		if(!secalgo_hash_update(h, data, len)) {
7373 			*reason = "digest sha384 failed";
7374 			return 0;
7375 		}
7376 		return 1;
7377 	} else if(hashalgo == ZONEMD_ALGO_SHA512) {
7378 		if(!secalgo_hash_update(h, data, len)) {
7379 			*reason = "digest sha512 failed";
7380 			return 0;
7381 		}
7382 		return 1;
7383 	}
7384 	/* unknown hash algo */
7385 	*reason = "unsupported algorithm";
7386 	return 0;
7387 }
7388 
7389 /** finish the hash for zonemd */
7390 static int zonemd_digest_finish(int hashalgo, struct secalgo_hash* h,
7391 	uint8_t* result, size_t hashlen, size_t* resultlen, char** reason)
7392 {
7393 	if(hashalgo == ZONEMD_ALGO_SHA384) {
7394 		if(hashlen < 384/8) {
7395 			*reason = "digest buffer too small for sha384";
7396 			return 0;
7397 		}
7398 		if(!secalgo_hash_final(h, result, hashlen, resultlen)) {
7399 			*reason = "digest sha384 finish failed";
7400 			return 0;
7401 		}
7402 		return 1;
7403 	} else if(hashalgo == ZONEMD_ALGO_SHA512) {
7404 		if(hashlen < 512/8) {
7405 			*reason = "digest buffer too small for sha512";
7406 			return 0;
7407 		}
7408 		if(!secalgo_hash_final(h, result, hashlen, resultlen)) {
7409 			*reason = "digest sha512 finish failed";
7410 			return 0;
7411 		}
7412 		return 1;
7413 	}
7414 	/* unknown algo */
7415 	*reason = "unsupported algorithm";
7416 	return 0;
7417 }
7418 
7419 /** add rrsets from node to the list */
7420 static size_t authdata_rrsets_to_list(struct auth_rrset** array,
7421 	size_t arraysize, struct auth_rrset* first)
7422 {
7423 	struct auth_rrset* rrset = first;
7424 	size_t num = 0;
7425 	while(rrset) {
7426 		if(num >= arraysize)
7427 			return num;
7428 		array[num] = rrset;
7429 		num++;
7430 		rrset = rrset->next;
7431 	}
7432 	return num;
7433 }
7434 
7435 /** compare rr list entries */
7436 static int rrlist_compare(const void* arg1, const void* arg2)
7437 {
7438 	struct auth_rrset* r1 = *(struct auth_rrset**)arg1;
7439 	struct auth_rrset* r2 = *(struct auth_rrset**)arg2;
7440 	uint16_t t1, t2;
7441 	if(r1 == NULL) t1 = LDNS_RR_TYPE_RRSIG;
7442 	else t1 = r1->type;
7443 	if(r2 == NULL) t2 = LDNS_RR_TYPE_RRSIG;
7444 	else t2 = r2->type;
7445 	if(t1 < t2)
7446 		return -1;
7447 	if(t1 > t2)
7448 		return 1;
7449 	return 0;
7450 }
7451 
7452 /** add type RRSIG to rr list if not one there already,
7453  * this is to perform RRSIG collate processing at that point. */
7454 static void addrrsigtype_if_needed(struct auth_rrset** array,
7455 	size_t arraysize, size_t* rrnum, struct auth_data* node)
7456 {
7457 	if(az_domain_rrset(node, LDNS_RR_TYPE_RRSIG))
7458 		return; /* already one there */
7459 	if((*rrnum) >= arraysize)
7460 		return; /* array too small? */
7461 	array[*rrnum] = NULL; /* nothing there, but need entry in list */
7462 	(*rrnum)++;
7463 }
7464 
7465 /** collate the RRs in an RRset using the simple scheme */
7466 static int zonemd_simple_rrset(struct auth_zone* z, int hashalgo,
7467 	struct secalgo_hash* h, struct auth_data* node,
7468 	struct auth_rrset* rrset, struct regional* region,
7469 	struct sldns_buffer* buf, char** reason)
7470 {
7471 	/* canonicalize */
7472 	struct ub_packed_rrset_key key;
7473 	memset(&key, 0, sizeof(key));
7474 	key.entry.key = &key;
7475 	key.entry.data = rrset->data;
7476 	key.rk.dname = node->name;
7477 	key.rk.dname_len = node->namelen;
7478 	key.rk.type = htons(rrset->type);
7479 	key.rk.rrset_class = htons(z->dclass);
7480 	if(!rrset_canonicalize_to_buffer(region, buf, &key)) {
7481 		*reason = "out of memory";
7482 		return 0;
7483 	}
7484 	regional_free_all(region);
7485 
7486 	/* hash */
7487 	if(!zonemd_digest_update(hashalgo, h, sldns_buffer_begin(buf),
7488 		sldns_buffer_limit(buf), reason)) {
7489 		return 0;
7490 	}
7491 	return 1;
7492 }
7493 
7494 /** count number of RRSIGs in a domain name rrset list */
7495 static size_t zonemd_simple_count_rrsig(struct auth_rrset* rrset,
7496 	struct auth_rrset** rrlist, size_t rrnum,
7497 	struct auth_zone* z, struct auth_data* node)
7498 {
7499 	size_t i, count = 0;
7500 	if(rrset) {
7501 		size_t j;
7502 		for(j = 0; j<rrset->data->count; j++) {
7503 			if(rrsig_rdata_get_type_covered(rrset->data->
7504 				rr_data[j], rrset->data->rr_len[j]) ==
7505 				LDNS_RR_TYPE_ZONEMD &&
7506 				query_dname_compare(z->name, node->name)==0) {
7507 				/* omit RRSIGs over type ZONEMD at apex */
7508 				continue;
7509 			}
7510 			count++;
7511 		}
7512 	}
7513 	for(i=0; i<rrnum; i++) {
7514 		if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
7515 			query_dname_compare(z->name, node->name)==0) {
7516 			/* omit RRSIGs over type ZONEMD at apex */
7517 			continue;
7518 		}
7519 		count += (rrlist[i]?rrlist[i]->data->rrsig_count:0);
7520 	}
7521 	return count;
7522 }
7523 
7524 /** allocate sparse rrset data for the number of entries in tepm region */
7525 static int zonemd_simple_rrsig_allocs(struct regional* region,
7526 	struct packed_rrset_data* data, size_t count)
7527 {
7528 	data->rr_len = regional_alloc(region, sizeof(*data->rr_len) * count);
7529 	if(!data->rr_len) {
7530 		return 0;
7531 	}
7532 	data->rr_ttl = regional_alloc(region, sizeof(*data->rr_ttl) * count);
7533 	if(!data->rr_ttl) {
7534 		return 0;
7535 	}
7536 	data->rr_data = regional_alloc(region, sizeof(*data->rr_data) * count);
7537 	if(!data->rr_data) {
7538 		return 0;
7539 	}
7540 	return 1;
7541 }
7542 
7543 /** add the RRSIGs from the rrs in the domain into the data */
7544 static void add_rrlist_rrsigs_into_data(struct packed_rrset_data* data,
7545 	size_t* done, struct auth_rrset** rrlist, size_t rrnum,
7546 	struct auth_zone* z, struct auth_data* node)
7547 {
7548 	size_t i;
7549 	for(i=0; i<rrnum; i++) {
7550 		size_t j;
7551 		if(!rrlist[i])
7552 			continue;
7553 		if(rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
7554 			query_dname_compare(z->name, node->name)==0) {
7555 			/* omit RRSIGs over type ZONEMD at apex */
7556 			continue;
7557 		}
7558 		for(j = 0; j<rrlist[i]->data->rrsig_count; j++) {
7559 			data->rr_len[*done] = rrlist[i]->data->rr_len[rrlist[i]->data->count + j];
7560 			data->rr_ttl[*done] = rrlist[i]->data->rr_ttl[rrlist[i]->data->count + j];
7561 			/* reference the rdata in the rrset, no need to
7562 			 * copy it, it is no longer needed at the end of
7563 			 * the routine */
7564 			data->rr_data[*done] = rrlist[i]->data->rr_data[rrlist[i]->data->count + j];
7565 			(*done)++;
7566 		}
7567 	}
7568 }
7569 
7570 static void add_rrset_into_data(struct packed_rrset_data* data,
7571 	size_t* done, struct auth_rrset* rrset,
7572 	struct auth_zone* z, struct auth_data* node)
7573 {
7574 	if(rrset) {
7575 		size_t j;
7576 		for(j = 0; j<rrset->data->count; j++) {
7577 			if(rrsig_rdata_get_type_covered(rrset->data->
7578 				rr_data[j], rrset->data->rr_len[j]) ==
7579 				LDNS_RR_TYPE_ZONEMD &&
7580 				query_dname_compare(z->name, node->name)==0) {
7581 				/* omit RRSIGs over type ZONEMD at apex */
7582 				continue;
7583 			}
7584 			data->rr_len[*done] = rrset->data->rr_len[j];
7585 			data->rr_ttl[*done] = rrset->data->rr_ttl[j];
7586 			/* reference the rdata in the rrset, no need to
7587 			 * copy it, it is no longer need at the end of
7588 			 * the routine */
7589 			data->rr_data[*done] = rrset->data->rr_data[j];
7590 			(*done)++;
7591 		}
7592 	}
7593 }
7594 
7595 /** collate the RRSIGs using the simple scheme */
7596 static int zonemd_simple_rrsig(struct auth_zone* z, int hashalgo,
7597 	struct secalgo_hash* h, struct auth_data* node,
7598 	struct auth_rrset* rrset, struct auth_rrset** rrlist, size_t rrnum,
7599 	struct regional* region, struct sldns_buffer* buf, char** reason)
7600 {
7601 	/* the rrset pointer can be NULL, this means it is type RRSIG and
7602 	 * there is no ordinary type RRSIG there.  The RRSIGs are stored
7603 	 * with the RRsets in their data.
7604 	 *
7605 	 * The RRset pointer can be nonNULL. This happens if there is
7606 	 * no RR that is covered by the RRSIG for the domain.  Then this
7607 	 * RRSIG RR is stored in an rrset of type RRSIG. The other RRSIGs
7608 	 * are stored in the rrset entries for the RRs in the rr list for
7609 	 * the domain node.  We need to collate the rrset's data, if any, and
7610 	 * the rrlist's rrsigs */
7611 	/* if this is the apex, omit RRSIGs that cover type ZONEMD */
7612 	/* build rrsig rrset */
7613 	size_t done = 0;
7614 	struct ub_packed_rrset_key key;
7615 	struct packed_rrset_data data;
7616 	memset(&key, 0, sizeof(key));
7617 	memset(&data, 0, sizeof(data));
7618 	key.entry.key = &key;
7619 	key.entry.data = &data;
7620 	key.rk.dname = node->name;
7621 	key.rk.dname_len = node->namelen;
7622 	key.rk.type = htons(LDNS_RR_TYPE_RRSIG);
7623 	key.rk.rrset_class = htons(z->dclass);
7624 	data.count = zonemd_simple_count_rrsig(rrset, rrlist, rrnum, z, node);
7625 	if(!zonemd_simple_rrsig_allocs(region, &data, data.count)) {
7626 		*reason = "out of memory";
7627 		regional_free_all(region);
7628 		return 0;
7629 	}
7630 	/* all the RRSIGs stored in the other rrsets for this domain node */
7631 	add_rrlist_rrsigs_into_data(&data, &done, rrlist, rrnum, z, node);
7632 	/* plus the RRSIGs stored in an rrset of type RRSIG for this node */
7633 	add_rrset_into_data(&data, &done, rrset, z, node);
7634 
7635 	/* canonicalize */
7636 	if(!rrset_canonicalize_to_buffer(region, buf, &key)) {
7637 		*reason = "out of memory";
7638 		regional_free_all(region);
7639 		return 0;
7640 	}
7641 	regional_free_all(region);
7642 
7643 	/* hash */
7644 	if(!zonemd_digest_update(hashalgo, h, sldns_buffer_begin(buf),
7645 		sldns_buffer_limit(buf), reason)) {
7646 		return 0;
7647 	}
7648 	return 1;
7649 }
7650 
7651 /** collate a domain's rrsets using the simple scheme */
7652 static int zonemd_simple_domain(struct auth_zone* z, int hashalgo,
7653 	struct secalgo_hash* h, struct auth_data* node,
7654 	struct regional* region, struct sldns_buffer* buf, char** reason)
7655 {
7656 	const size_t rrlistsize = 65536;
7657 	struct auth_rrset* rrlist[rrlistsize];
7658 	size_t i, rrnum = 0;
7659 	/* see if the domain is out of scope, the zone origin,
7660 	 * that would be omitted */
7661 	if(!dname_subdomain_c(node->name, z->name))
7662 		return 1; /* continue */
7663 	/* loop over the rrsets in ascending order. */
7664 	rrnum = authdata_rrsets_to_list(rrlist, rrlistsize, node->rrsets);
7665 	addrrsigtype_if_needed(rrlist, rrlistsize, &rrnum, node);
7666 	qsort(rrlist, rrnum, sizeof(*rrlist), rrlist_compare);
7667 	for(i=0; i<rrnum; i++) {
7668 		if(rrlist[i] && rrlist[i]->type == LDNS_RR_TYPE_ZONEMD &&
7669 			query_dname_compare(z->name, node->name) == 0) {
7670 			/* omit type ZONEMD at apex */
7671 			continue;
7672 		}
7673 		if(rrlist[i] == NULL || rrlist[i]->type ==
7674 			LDNS_RR_TYPE_RRSIG) {
7675 			if(!zonemd_simple_rrsig(z, hashalgo, h, node,
7676 				rrlist[i], rrlist, rrnum, region, buf, reason))
7677 				return 0;
7678 		} else if(!zonemd_simple_rrset(z, hashalgo, h, node,
7679 			rrlist[i], region, buf, reason)) {
7680 			return 0;
7681 		}
7682 	}
7683 	return 1;
7684 }
7685 
7686 /** collate the zone using the simple scheme */
7687 static int zonemd_simple_collate(struct auth_zone* z, int hashalgo,
7688 	struct secalgo_hash* h, struct regional* region,
7689 	struct sldns_buffer* buf, char** reason)
7690 {
7691 	/* our tree is sorted in canonical order, so we can just loop over
7692 	 * the tree */
7693 	struct auth_data* n;
7694 	RBTREE_FOR(n, struct auth_data*, &z->data) {
7695 		if(!zonemd_simple_domain(z, hashalgo, h, n, region, buf,
7696 			reason))
7697 			return 0;
7698 	}
7699 	return 1;
7700 }
7701 
7702 int auth_zone_generate_zonemd_hash(struct auth_zone* z, int scheme,
7703 	int hashalgo, uint8_t* hash, size_t hashlen, size_t* resultlen,
7704 	struct regional* region, struct sldns_buffer* buf, char** reason)
7705 {
7706 	struct secalgo_hash* h = zonemd_digest_init(hashalgo, reason);
7707 	if(!h) {
7708 		if(!*reason)
7709 			*reason = "digest init fail";
7710 		return 0;
7711 	}
7712 	if(scheme == ZONEMD_SCHEME_SIMPLE) {
7713 		if(!zonemd_simple_collate(z, hashalgo, h, region, buf, reason)) {
7714 			if(!*reason) *reason = "scheme simple collate fail";
7715 			secalgo_hash_delete(h);
7716 			return 0;
7717 		}
7718 	}
7719 	if(!zonemd_digest_finish(hashalgo, h, hash, hashlen, resultlen,
7720 		reason)) {
7721 		secalgo_hash_delete(h);
7722 		*reason = "digest finish fail";
7723 		return 0;
7724 	}
7725 	secalgo_hash_delete(h);
7726 	return 1;
7727 }
7728 
7729 int auth_zone_generate_zonemd_check(struct auth_zone* z, int scheme,
7730 	int hashalgo, uint8_t* hash, size_t hashlen, struct regional* region,
7731 	struct sldns_buffer* buf, char** reason)
7732 {
7733 	uint8_t gen[512];
7734 	size_t genlen = 0;
7735 	*reason = NULL;
7736 	if(!zonemd_hashalgo_supported(hashalgo)) {
7737 		/* allow it */
7738 		*reason = "unsupported algorithm";
7739 		return 1;
7740 	}
7741 	if(!zonemd_scheme_supported(scheme)) {
7742 		/* allow it */
7743 		*reason = "unsupported scheme";
7744 		return 1;
7745 	}
7746 	if(hashlen < 12) {
7747 		/* the ZONEMD draft requires digests to fail if too small */
7748 		*reason = "digest length too small, less than 12";
7749 		return 0;
7750 	}
7751 	/* generate digest */
7752 	if(!auth_zone_generate_zonemd_hash(z, scheme, hashalgo, gen,
7753 		sizeof(gen), &genlen, region, buf, reason)) {
7754 		/* reason filled in by zonemd hash routine */
7755 		return 0;
7756 	}
7757 	/* check digest length */
7758 	if(hashlen != genlen) {
7759 		*reason = "incorrect digest length";
7760 		if(verbosity >= VERB_ALGO) {
7761 			verbose(VERB_ALGO, "zonemd scheme=%d hashalgo=%d",
7762 				scheme, hashalgo);
7763 			log_hex("ZONEMD should be  ", gen, genlen);
7764 			log_hex("ZONEMD to check is", hash, hashlen);
7765 		}
7766 		return 0;
7767 	}
7768 	/* check digest */
7769 	if(memcmp(hash, gen, genlen) != 0) {
7770 		*reason = "incorrect digest";
7771 		if(verbosity >= VERB_ALGO) {
7772 			verbose(VERB_ALGO, "zonemd scheme=%d hashalgo=%d",
7773 				scheme, hashalgo);
7774 			log_hex("ZONEMD should be  ", gen, genlen);
7775 			log_hex("ZONEMD to check is", hash, hashlen);
7776 		}
7777 		return 0;
7778 	}
7779 	return 1;
7780 }
7781 
7782 /** log auth zone message with zone name in front. */
7783 static void auth_zone_log(uint8_t* name, enum verbosity_value level,
7784 	const char* format, ...) ATTR_FORMAT(printf, 3, 4);
7785 static void auth_zone_log(uint8_t* name, enum verbosity_value level,
7786 	const char* format, ...)
7787 {
7788 	va_list args;
7789 	va_start(args, format);
7790 	if(verbosity >= level) {
7791 		char str[255+1];
7792 		char msg[MAXSYSLOGMSGLEN];
7793 		dname_str(name, str);
7794 		vsnprintf(msg, sizeof(msg), format, args);
7795 		verbose(level, "auth zone %s %s", str, msg);
7796 	}
7797 	va_end(args);
7798 }
7799 
7800 /** ZONEMD, dnssec verify the rrset with the dnskey */
7801 static int zonemd_dnssec_verify_rrset(struct auth_zone* z,
7802 	struct module_env* env, struct module_stack* mods,
7803 	struct ub_packed_rrset_key* dnskey, struct auth_data* node,
7804 	struct auth_rrset* rrset, char** why_bogus, uint8_t* sigalg,
7805 	char* reasonbuf, size_t reasonlen)
7806 {
7807 	struct ub_packed_rrset_key pk;
7808 	enum sec_status sec;
7809 	struct val_env* ve;
7810 	int m;
7811 	int verified = 0;
7812 	m = modstack_find(mods, "validator");
7813 	if(m == -1) {
7814 		auth_zone_log(z->name, VERB_ALGO, "zonemd dnssec verify: have "
7815 			"DNSKEY chain of trust, but no validator module");
7816 		return 0;
7817 	}
7818 	ve = (struct val_env*)env->modinfo[m];
7819 
7820 	memset(&pk, 0, sizeof(pk));
7821 	pk.entry.key = &pk;
7822 	pk.entry.data = rrset->data;
7823 	pk.rk.dname = node->name;
7824 	pk.rk.dname_len = node->namelen;
7825 	pk.rk.type = htons(rrset->type);
7826 	pk.rk.rrset_class = htons(z->dclass);
7827 	if(verbosity >= VERB_ALGO) {
7828 		char typestr[32];
7829 		typestr[0]=0;
7830 		sldns_wire2str_type_buf(rrset->type, typestr, sizeof(typestr));
7831 		auth_zone_log(z->name, VERB_ALGO,
7832 			"zonemd: verify %s RRset with DNSKEY", typestr);
7833 	}
7834 	sec = dnskeyset_verify_rrset(env, ve, &pk, dnskey, sigalg, why_bogus, NULL,
7835 		LDNS_SECTION_ANSWER, NULL, &verified, reasonbuf, reasonlen);
7836 	if(sec == sec_status_secure) {
7837 		return 1;
7838 	}
7839 	if(why_bogus)
7840 		auth_zone_log(z->name, VERB_ALGO, "DNSSEC verify was bogus: %s", *why_bogus);
7841 	return 0;
7842 }
7843 
7844 /** check for nsec3, the RR with params equal, if bitmap has the type */
7845 static int nsec3_of_param_has_type(struct auth_rrset* nsec3, int algo,
7846 	size_t iter, uint8_t* salt, size_t saltlen, uint16_t rrtype)
7847 {
7848 	int i, count = (int)nsec3->data->count;
7849 	struct ub_packed_rrset_key pk;
7850 	memset(&pk, 0, sizeof(pk));
7851 	pk.entry.data = nsec3->data;
7852 	for(i=0; i<count; i++) {
7853 		int rralgo;
7854 		size_t rriter, rrsaltlen;
7855 		uint8_t* rrsalt;
7856 		if(!nsec3_get_params(&pk, i, &rralgo, &rriter, &rrsalt,
7857 			&rrsaltlen))
7858 			continue; /* no parameters, malformed */
7859 		if(rralgo != algo || rriter != iter || rrsaltlen != saltlen)
7860 			continue; /* different parameters */
7861 		if(saltlen != 0) {
7862 			if(rrsalt == NULL || salt == NULL)
7863 				continue;
7864 			if(memcmp(rrsalt, salt, saltlen) != 0)
7865 				continue; /* different salt parameters */
7866 		}
7867 		if(nsec3_has_type(&pk, i, rrtype))
7868 			return 1;
7869 	}
7870 	return 0;
7871 }
7872 
7873 /** Verify the absence of ZONEMD with DNSSEC by checking NSEC, NSEC3 type flag.
7874  * return false on failure, reason contains description of failure. */
7875 static int zonemd_check_dnssec_absence(struct auth_zone* z,
7876 	struct module_env* env, struct module_stack* mods,
7877 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
7878 	char** reason, char** why_bogus, uint8_t* sigalg, char* reasonbuf,
7879 	size_t reasonlen)
7880 {
7881 	struct auth_rrset* nsec = NULL;
7882 	if(!apex) {
7883 		*reason = "zone has no apex domain but ZONEMD missing";
7884 		return 0;
7885 	}
7886 	nsec = az_domain_rrset(apex, LDNS_RR_TYPE_NSEC);
7887 	if(nsec) {
7888 		struct ub_packed_rrset_key pk;
7889 		/* dnssec verify the NSEC */
7890 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
7891 			nsec, why_bogus, sigalg, reasonbuf, reasonlen)) {
7892 			*reason = "DNSSEC verify failed for NSEC RRset";
7893 			return 0;
7894 		}
7895 		/* check type bitmap */
7896 		memset(&pk, 0, sizeof(pk));
7897 		pk.entry.data = nsec->data;
7898 		if(nsec_has_type(&pk, LDNS_RR_TYPE_ZONEMD)) {
7899 			*reason = "DNSSEC NSEC bitmap says type ZONEMD exists";
7900 			return 0;
7901 		}
7902 		auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC NSEC verification of absence of ZONEMD secure");
7903 	} else {
7904 		/* NSEC3 perhaps ? */
7905 		int algo;
7906 		size_t iter, saltlen;
7907 		uint8_t* salt;
7908 		struct auth_rrset* nsec3param = az_domain_rrset(apex,
7909 			LDNS_RR_TYPE_NSEC3PARAM);
7910 		struct auth_data* match;
7911 		struct auth_rrset* nsec3;
7912 		if(!nsec3param) {
7913 			*reason = "zone has no NSEC information but ZONEMD missing";
7914 			return 0;
7915 		}
7916 		if(!az_nsec3_param(z, &algo, &iter, &salt, &saltlen)) {
7917 			*reason = "zone has no NSEC information but ZONEMD missing";
7918 			return 0;
7919 		}
7920 		/* find the NSEC3 record */
7921 		match = az_nsec3_find_exact(z, z->name, z->namelen, algo,
7922 			iter, salt, saltlen);
7923 		if(!match) {
7924 			*reason = "zone has no NSEC3 domain for the apex but ZONEMD missing";
7925 			return 0;
7926 		}
7927 		nsec3 = az_domain_rrset(match, LDNS_RR_TYPE_NSEC3);
7928 		if(!nsec3) {
7929 			*reason = "zone has no NSEC3 RRset for the apex but ZONEMD missing";
7930 			return 0;
7931 		}
7932 		/* dnssec verify the NSEC3 */
7933 		if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, match,
7934 			nsec3, why_bogus, sigalg, reasonbuf, reasonlen)) {
7935 			*reason = "DNSSEC verify failed for NSEC3 RRset";
7936 			return 0;
7937 		}
7938 		/* check type bitmap */
7939 		if(nsec3_of_param_has_type(nsec3, algo, iter, salt, saltlen,
7940 			LDNS_RR_TYPE_ZONEMD)) {
7941 			*reason = "DNSSEC NSEC3 bitmap says type ZONEMD exists";
7942 			return 0;
7943 		}
7944 		auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC NSEC3 verification of absence of ZONEMD secure");
7945 	}
7946 
7947 	return 1;
7948 }
7949 
7950 /** Verify the SOA and ZONEMD DNSSEC signatures.
7951  * return false on failure, reason contains description of failure. */
7952 static int zonemd_check_dnssec_soazonemd(struct auth_zone* z,
7953 	struct module_env* env, struct module_stack* mods,
7954 	struct ub_packed_rrset_key* dnskey, struct auth_data* apex,
7955 	struct auth_rrset* zonemd_rrset, char** reason, char** why_bogus,
7956 	uint8_t* sigalg, char* reasonbuf, size_t reasonlen)
7957 {
7958 	struct auth_rrset* soa;
7959 	if(!apex) {
7960 		*reason = "zone has no apex domain";
7961 		return 0;
7962 	}
7963 	soa = az_domain_rrset(apex, LDNS_RR_TYPE_SOA);
7964 	if(!soa) {
7965 		*reason = "zone has no SOA RRset";
7966 		return 0;
7967 	}
7968 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex, soa,
7969 		why_bogus, sigalg, reasonbuf, reasonlen)) {
7970 		*reason = "DNSSEC verify failed for SOA RRset";
7971 		return 0;
7972 	}
7973 	if(!zonemd_dnssec_verify_rrset(z, env, mods, dnskey, apex,
7974 		zonemd_rrset, why_bogus, sigalg, reasonbuf, reasonlen)) {
7975 		*reason = "DNSSEC verify failed for ZONEMD RRset";
7976 		return 0;
7977 	}
7978 	auth_zone_log(z->name, VERB_ALGO, "zonemd DNSSEC verification of SOA and ZONEMD RRsets secure");
7979 	return 1;
7980 }
7981 
7982 /**
7983  * Fail the ZONEMD verification.
7984  * @param z: auth zone that fails.
7985  * @param env: environment with config, to ignore failure or not.
7986  * @param reason: failure string description.
7987  * @param why_bogus: failure string for DNSSEC verification failure.
7988  * @param result: strdup result in here if not NULL.
7989  */
7990 static void auth_zone_zonemd_fail(struct auth_zone* z, struct module_env* env,
7991 	char* reason, char* why_bogus, char** result)
7992 {
7993 	char zstr[255+1];
7994 	/* if fail: log reason, and depending on config also take action
7995 	 * and drop the zone, eg. it is gone from memory, set zone_expired */
7996 	dname_str(z->name, zstr);
7997 	if(!reason) reason = "verification failed";
7998 	if(result) {
7999 		if(why_bogus) {
8000 			char res[1024];
8001 			snprintf(res, sizeof(res), "%s: %s", reason,
8002 				why_bogus);
8003 			*result = strdup(res);
8004 		} else {
8005 			*result = strdup(reason);
8006 		}
8007 		if(!*result) log_err("out of memory");
8008 	} else {
8009 		log_warn("auth zone %s: ZONEMD verification failed: %s", zstr, reason);
8010 	}
8011 
8012 	if(env->cfg->zonemd_permissive_mode) {
8013 		verbose(VERB_ALGO, "zonemd-permissive-mode enabled, "
8014 			"not blocking zone %s", zstr);
8015 		return;
8016 	}
8017 
8018 	/* expired means the zone gives servfail and is not used by
8019 	 * lookup if fallback_enabled*/
8020 	z->zone_expired = 1;
8021 }
8022 
8023 /**
8024  * Verify the zonemd with DNSSEC and hash check, with given key.
8025  * @param z: auth zone.
8026  * @param env: environment with config and temp buffers.
8027  * @param mods: module stack with validator env for verification.
8028  * @param dnskey: dnskey that we can use, or NULL.  If nonnull, the key
8029  * 	has been verified and is the start of the chain of trust.
8030  * @param is_insecure: if true, the dnskey is not used, the zone is insecure.
8031  * 	And dnssec is not used.  It is DNSSEC secure insecure or not under
8032  * 	a trust anchor.
8033  * @param sigalg: if nonNULL provide algorithm downgrade protection.
8034  * 	Otherwise one algorithm is enough. Must have space of ALGO_NEEDS_MAX+1.
8035  * @param result: if not NULL result reason copied here.
8036  */
8037 static void
8038 auth_zone_verify_zonemd_with_key(struct auth_zone* z, struct module_env* env,
8039 	struct module_stack* mods, struct ub_packed_rrset_key* dnskey,
8040 	int is_insecure, char** result, uint8_t* sigalg)
8041 {
8042 	char reasonbuf[256];
8043 	char* reason = NULL, *why_bogus = NULL;
8044 	struct auth_data* apex = NULL;
8045 	struct auth_rrset* zonemd_rrset = NULL;
8046 	int zonemd_absent = 0, zonemd_absence_dnssecok = 0;
8047 
8048 	/* see if ZONEMD is present or absent. */
8049 	apex = az_find_name(z, z->name, z->namelen);
8050 	if(!apex) {
8051 		zonemd_absent = 1;
8052 	} else {
8053 		zonemd_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_ZONEMD);
8054 		if(!zonemd_rrset || zonemd_rrset->data->count==0) {
8055 			zonemd_absent = 1;
8056 			zonemd_rrset = NULL;
8057 		}
8058 	}
8059 
8060 	/* if no DNSSEC, done. */
8061 	/* if no ZONEMD, and DNSSEC, use DNSKEY to verify NSEC or NSEC3 for
8062 	 * zone apex.  Check ZONEMD bit is turned off or else fail */
8063 	/* if ZONEMD, and DNSSEC, check DNSSEC signature on SOA and ZONEMD,
8064 	 * or else fail */
8065 	if(!dnskey && !is_insecure) {
8066 		auth_zone_zonemd_fail(z, env, "DNSKEY missing", NULL, result);
8067 		return;
8068 	} else if(!zonemd_rrset && dnskey && !is_insecure) {
8069 		/* fetch, DNSSEC verify, and check NSEC/NSEC3 */
8070 		if(!zonemd_check_dnssec_absence(z, env, mods, dnskey, apex,
8071 			&reason, &why_bogus, sigalg, reasonbuf,
8072 			sizeof(reasonbuf))) {
8073 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
8074 			return;
8075 		}
8076 		zonemd_absence_dnssecok = 1;
8077 	} else if(zonemd_rrset && dnskey && !is_insecure) {
8078 		/* check DNSSEC verify of SOA and ZONEMD */
8079 		if(!zonemd_check_dnssec_soazonemd(z, env, mods, dnskey, apex,
8080 			zonemd_rrset, &reason, &why_bogus, sigalg, reasonbuf,
8081 			sizeof(reasonbuf))) {
8082 			auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
8083 			return;
8084 		}
8085 	}
8086 
8087 	if(zonemd_absent && z->zonemd_reject_absence) {
8088 		auth_zone_zonemd_fail(z, env, "ZONEMD absent and that is not allowed by config", NULL, result);
8089 		return;
8090 	}
8091 	if(zonemd_absent && zonemd_absence_dnssecok) {
8092 		auth_zone_log(z->name, VERB_ALGO, "DNSSEC verified nonexistence of ZONEMD");
8093 		if(result) {
8094 			*result = strdup("DNSSEC verified nonexistence of ZONEMD");
8095 			if(!*result) log_err("out of memory");
8096 		}
8097 		return;
8098 	}
8099 	if(zonemd_absent) {
8100 		auth_zone_log(z->name, VERB_ALGO, "no ZONEMD present");
8101 		if(result) {
8102 			*result = strdup("no ZONEMD present");
8103 			if(!*result) log_err("out of memory");
8104 		}
8105 		return;
8106 	}
8107 
8108 	/* check ZONEMD checksum and report or else fail. */
8109 	if(!auth_zone_zonemd_check_hash(z, env, &reason)) {
8110 		auth_zone_zonemd_fail(z, env, reason, NULL, result);
8111 		return;
8112 	}
8113 
8114 	/* success! log the success */
8115 	if(reason)
8116 		auth_zone_log(z->name, VERB_ALGO, "ZONEMD %s", reason);
8117 	else	auth_zone_log(z->name, VERB_ALGO, "ZONEMD verification successful");
8118 	if(result) {
8119 		if(reason)
8120 			*result = strdup(reason);
8121 		else	*result = strdup("ZONEMD verification successful");
8122 		if(!*result) log_err("out of memory");
8123 	}
8124 }
8125 
8126 /**
8127  * verify the zone DNSKEY rrset from the trust anchor
8128  * This is possible because the anchor is for the zone itself, and can
8129  * thus apply straight to the zone DNSKEY set.
8130  * @param z: the auth zone.
8131  * @param env: environment with time and temp buffers.
8132  * @param mods: module stack for validator environment for dnssec validation.
8133  * @param anchor: trust anchor to use
8134  * @param is_insecure: returned, true if the zone is securely insecure.
8135  * @param why_bogus: if the routine fails, returns the failure reason.
8136  * @param keystorage: where to store the ub_packed_rrset_key that is created
8137  * 	on success. A pointer to it is returned on success.
8138  * @param reasonbuf: buffer to use for fail reason string print.
8139  * @param reasonlen: length of reasonbuf.
8140  * @return the dnskey RRset, reference to zone data and keystorage, or
8141  * 	NULL on failure.
8142  */
8143 static struct ub_packed_rrset_key*
8144 zonemd_get_dnskey_from_anchor(struct auth_zone* z, struct module_env* env,
8145 	struct module_stack* mods, struct trust_anchor* anchor,
8146 	int* is_insecure, char** why_bogus,
8147 	struct ub_packed_rrset_key* keystorage, char* reasonbuf,
8148 	size_t reasonlen)
8149 {
8150 	struct auth_data* apex;
8151 	struct auth_rrset* dnskey_rrset;
8152 	enum sec_status sec;
8153 	struct val_env* ve;
8154 	int m;
8155 
8156 	apex = az_find_name(z, z->name, z->namelen);
8157 	if(!apex) {
8158 		*why_bogus = "have trust anchor, but zone has no apex domain for DNSKEY";
8159 		return 0;
8160 	}
8161 	dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
8162 	if(!dnskey_rrset || dnskey_rrset->data->count==0) {
8163 		*why_bogus = "have trust anchor, but zone has no DNSKEY";
8164 		return 0;
8165 	}
8166 
8167 	m = modstack_find(mods, "validator");
8168 	if(m == -1) {
8169 		*why_bogus = "have trust anchor, but no validator module";
8170 		return 0;
8171 	}
8172 	ve = (struct val_env*)env->modinfo[m];
8173 
8174 	memset(keystorage, 0, sizeof(*keystorage));
8175 	keystorage->entry.key = keystorage;
8176 	keystorage->entry.data = dnskey_rrset->data;
8177 	keystorage->rk.dname = apex->name;
8178 	keystorage->rk.dname_len = apex->namelen;
8179 	keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
8180 	keystorage->rk.rrset_class = htons(z->dclass);
8181 	auth_zone_log(z->name, VERB_QUERY,
8182 		"zonemd: verify DNSKEY RRset with trust anchor");
8183 	sec = val_verify_DNSKEY_with_TA(env, ve, keystorage, anchor->ds_rrset,
8184 		anchor->dnskey_rrset, NULL, why_bogus, NULL, NULL, reasonbuf,
8185 		reasonlen);
8186 	regional_free_all(env->scratch);
8187 	if(sec == sec_status_secure) {
8188 		/* success */
8189 		*is_insecure = 0;
8190 		return keystorage;
8191 	} else if(sec == sec_status_insecure) {
8192 		/* insecure */
8193 		*is_insecure = 1;
8194 	} else {
8195 		/* bogus */
8196 		*is_insecure = 0;
8197 		auth_zone_log(z->name, VERB_ALGO,
8198 			"zonemd: verify DNSKEY RRset with trust anchor failed: %s", *why_bogus);
8199 	}
8200 	return NULL;
8201 }
8202 
8203 /** verify the DNSKEY from the zone with looked up DS record */
8204 static struct ub_packed_rrset_key*
8205 auth_zone_verify_zonemd_key_with_ds(struct auth_zone* z,
8206 	struct module_env* env, struct module_stack* mods,
8207 	struct ub_packed_rrset_key* ds, int* is_insecure, char** why_bogus,
8208 	struct ub_packed_rrset_key* keystorage, uint8_t* sigalg,
8209 	char* reasonbuf, size_t reasonlen)
8210 {
8211 	struct auth_data* apex;
8212 	struct auth_rrset* dnskey_rrset;
8213 	enum sec_status sec;
8214 	struct val_env* ve;
8215 	int m;
8216 
8217 	/* fetch DNSKEY from zone data */
8218 	apex = az_find_name(z, z->name, z->namelen);
8219 	if(!apex) {
8220 		*why_bogus = "in verifywithDS, zone has no apex";
8221 		return NULL;
8222 	}
8223 	dnskey_rrset = az_domain_rrset(apex, LDNS_RR_TYPE_DNSKEY);
8224 	if(!dnskey_rrset || dnskey_rrset->data->count==0) {
8225 		*why_bogus = "in verifywithDS, zone has no DNSKEY";
8226 		return NULL;
8227 	}
8228 
8229 	m = modstack_find(mods, "validator");
8230 	if(m == -1) {
8231 		*why_bogus = "in verifywithDS, have no validator module";
8232 		return NULL;
8233 	}
8234 	ve = (struct val_env*)env->modinfo[m];
8235 
8236 	memset(keystorage, 0, sizeof(*keystorage));
8237 	keystorage->entry.key = keystorage;
8238 	keystorage->entry.data = dnskey_rrset->data;
8239 	keystorage->rk.dname = apex->name;
8240 	keystorage->rk.dname_len = apex->namelen;
8241 	keystorage->rk.type = htons(LDNS_RR_TYPE_DNSKEY);
8242 	keystorage->rk.rrset_class = htons(z->dclass);
8243 	auth_zone_log(z->name, VERB_QUERY, "zonemd: verify zone DNSKEY with DS");
8244 	sec = val_verify_DNSKEY_with_DS(env, ve, keystorage, ds, sigalg,
8245 		why_bogus, NULL, NULL, reasonbuf, reasonlen);
8246 	regional_free_all(env->scratch);
8247 	if(sec == sec_status_secure) {
8248 		/* success */
8249 		return keystorage;
8250 	} else if(sec == sec_status_insecure) {
8251 		/* insecure */
8252 		*is_insecure = 1;
8253 	} else {
8254 		/* bogus */
8255 		*is_insecure = 0;
8256 		if(*why_bogus == NULL)
8257 			*why_bogus = "verify failed";
8258 		auth_zone_log(z->name, VERB_ALGO,
8259 			"zonemd: verify DNSKEY RRset with DS failed: %s",
8260 			*why_bogus);
8261 	}
8262 	return NULL;
8263 }
8264 
8265 /** callback for ZONEMD lookup of DNSKEY */
8266 void auth_zonemd_dnskey_lookup_callback(void* arg, int rcode, sldns_buffer* buf,
8267 	enum sec_status sec, char* why_bogus, int ATTR_UNUSED(was_ratelimited))
8268 {
8269 	struct auth_zone* z = (struct auth_zone*)arg;
8270 	struct module_env* env;
8271 	char reasonbuf[256];
8272 	char* reason = NULL, *ds_bogus = NULL, *typestr="DNSKEY";
8273 	struct ub_packed_rrset_key* dnskey = NULL, *ds = NULL;
8274 	int is_insecure = 0, downprot;
8275 	struct ub_packed_rrset_key keystorage;
8276 	uint8_t sigalg[ALGO_NEEDS_MAX+1];
8277 
8278 	lock_rw_wrlock(&z->lock);
8279 	env = z->zonemd_callback_env;
8280 	/* release the env variable so another worker can pick up the
8281 	 * ZONEMD verification task if it wants to */
8282 	z->zonemd_callback_env = NULL;
8283 	if(!env || env->outnet->want_to_quit || z->zone_deleted) {
8284 		lock_rw_unlock(&z->lock);
8285 		return; /* stop on quit */
8286 	}
8287 	if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DS)
8288 		typestr = "DS";
8289 	downprot = env->cfg->harden_algo_downgrade;
8290 
8291 	/* process result */
8292 	if(sec == sec_status_bogus) {
8293 		reason = why_bogus;
8294 		if(!reason) {
8295 			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
8296 				reason = "lookup of DNSKEY was bogus";
8297 			else	reason = "lookup of DS was bogus";
8298 		}
8299 		auth_zone_log(z->name, VERB_ALGO,
8300 			"zonemd lookup of %s was bogus: %s", typestr, reason);
8301 	} else if(rcode == LDNS_RCODE_NOERROR) {
8302 		uint16_t wanted_qtype = z->zonemd_callback_qtype;
8303 		struct regional* temp = env->scratch;
8304 		struct query_info rq;
8305 		struct reply_info* rep;
8306 		memset(&rq, 0, sizeof(rq));
8307 		rep = parse_reply_in_temp_region(buf, temp, &rq);
8308 		if(rep && rq.qtype == wanted_qtype &&
8309 			query_dname_compare(z->name, rq.qname) == 0 &&
8310 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NOERROR) {
8311 			/* parsed successfully */
8312 			struct ub_packed_rrset_key* answer =
8313 				reply_find_answer_rrset(&rq, rep);
8314 			if(answer && sec == sec_status_secure) {
8315 				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
8316 					dnskey = answer;
8317 				else	ds = answer;
8318 				auth_zone_log(z->name, VERB_ALGO,
8319 					"zonemd lookup of %s was secure", typestr);
8320 			} else if(sec == sec_status_secure && !answer) {
8321 				is_insecure = 1;
8322 				auth_zone_log(z->name, VERB_ALGO,
8323 					"zonemd lookup of %s has no content, but is secure, treat as insecure", typestr);
8324 			} else if(sec == sec_status_insecure) {
8325 				is_insecure = 1;
8326 				auth_zone_log(z->name, VERB_ALGO,
8327 					"zonemd lookup of %s was insecure", typestr);
8328 			} else if(sec == sec_status_indeterminate) {
8329 				is_insecure = 1;
8330 				auth_zone_log(z->name, VERB_ALGO,
8331 					"zonemd lookup of %s was indeterminate, treat as insecure", typestr);
8332 			} else {
8333 				auth_zone_log(z->name, VERB_ALGO,
8334 					"zonemd lookup of %s has nodata", typestr);
8335 				if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
8336 					reason = "lookup of DNSKEY has nodata";
8337 				else	reason = "lookup of DS has nodata";
8338 			}
8339 		} else if(rep && rq.qtype == wanted_qtype &&
8340 			query_dname_compare(z->name, rq.qname) == 0 &&
8341 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
8342 			sec == sec_status_secure) {
8343 			/* secure nxdomain, so the zone is like some RPZ zone
8344 			 * that does not exist in the wider internet, with
8345 			 * a secure nxdomain answer outside of it. So we
8346 			 * treat the zonemd zone without a dnssec chain of
8347 			 * trust, as insecure. */
8348 			is_insecure = 1;
8349 			auth_zone_log(z->name, VERB_ALGO,
8350 				"zonemd lookup of %s was secure NXDOMAIN, treat as insecure", typestr);
8351 		} else if(rep && rq.qtype == wanted_qtype &&
8352 			query_dname_compare(z->name, rq.qname) == 0 &&
8353 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
8354 			sec == sec_status_insecure) {
8355 			is_insecure = 1;
8356 			auth_zone_log(z->name, VERB_ALGO,
8357 				"zonemd lookup of %s was insecure NXDOMAIN, treat as insecure", typestr);
8358 		} else if(rep && rq.qtype == wanted_qtype &&
8359 			query_dname_compare(z->name, rq.qname) == 0 &&
8360 			FLAGS_GET_RCODE(rep->flags) == LDNS_RCODE_NXDOMAIN &&
8361 			sec == sec_status_indeterminate) {
8362 			is_insecure = 1;
8363 			auth_zone_log(z->name, VERB_ALGO,
8364 				"zonemd lookup of %s was indeterminate NXDOMAIN, treat as insecure", typestr);
8365 		} else {
8366 			auth_zone_log(z->name, VERB_ALGO,
8367 				"zonemd lookup of %s has no answer", typestr);
8368 			if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
8369 				reason = "lookup of DNSKEY has no answer";
8370 			else	reason = "lookup of DS has no answer";
8371 		}
8372 	} else {
8373 		auth_zone_log(z->name, VERB_ALGO,
8374 			"zonemd lookup of %s failed", typestr);
8375 		if(z->zonemd_callback_qtype == LDNS_RR_TYPE_DNSKEY)
8376 			reason = "lookup of DNSKEY failed";
8377 		else	reason = "lookup of DS failed";
8378 	}
8379 
8380 	if(!reason && !is_insecure && !dnskey && ds) {
8381 		dnskey = auth_zone_verify_zonemd_key_with_ds(z, env,
8382 			&env->mesh->mods, ds, &is_insecure, &ds_bogus,
8383 			&keystorage, downprot?sigalg:NULL, reasonbuf,
8384 			sizeof(reasonbuf));
8385 		if(!dnskey && !is_insecure && !reason)
8386 			reason = "DNSKEY verify with DS failed";
8387 	}
8388 
8389 	if(reason) {
8390 		auth_zone_zonemd_fail(z, env, reason, ds_bogus, NULL);
8391 		lock_rw_unlock(&z->lock);
8392 		regional_free_all(env->scratch);
8393 		return;
8394 	}
8395 
8396 	auth_zone_verify_zonemd_with_key(z, env, &env->mesh->mods, dnskey,
8397 		is_insecure, NULL, downprot?sigalg:NULL);
8398 	regional_free_all(env->scratch);
8399 	lock_rw_unlock(&z->lock);
8400 }
8401 
8402 /** lookup DNSKEY for ZONEMD verification */
8403 static int
8404 zonemd_lookup_dnskey(struct auth_zone* z, struct module_env* env)
8405 {
8406 	struct query_info qinfo;
8407 	uint16_t qflags = BIT_RD;
8408 	struct edns_data edns;
8409 	sldns_buffer* buf = env->scratch_buffer;
8410 	int fetch_ds = 0;
8411 
8412 	if(!z->fallback_enabled) {
8413 		/* we cannot actually get the DNSKEY, because it is in the
8414 		 * zone we have ourselves, and it is not served yet
8415 		 * (possibly), so fetch type DS */
8416 		fetch_ds = 1;
8417 	}
8418 	if(z->zonemd_callback_env) {
8419 		/* another worker is already working on the callback
8420 		 * for the DNSKEY lookup for ZONEMD verification.
8421 		 * We do not also have to do ZONEMD verification, let that
8422 		 * worker do it */
8423 		auth_zone_log(z->name, VERB_ALGO,
8424 			"zonemd needs lookup of %s and that already is worked on by another worker", (fetch_ds?"DS":"DNSKEY"));
8425 		return 1;
8426 	}
8427 
8428 	/* use mesh_new_callback to lookup the DNSKEY,
8429 	 * and then wait for them to be looked up (in cache, or query) */
8430 	qinfo.qname_len = z->namelen;
8431 	qinfo.qname = z->name;
8432 	qinfo.qclass = z->dclass;
8433 	if(fetch_ds)
8434 		qinfo.qtype = LDNS_RR_TYPE_DS;
8435 	else	qinfo.qtype = LDNS_RR_TYPE_DNSKEY;
8436 	qinfo.local_alias = NULL;
8437 	if(verbosity >= VERB_ALGO) {
8438 		char buf1[512];
8439 		char buf2[LDNS_MAX_DOMAINLEN+1];
8440 		dname_str(z->name, buf2);
8441 		snprintf(buf1, sizeof(buf1), "auth zone %s: lookup %s "
8442 			"for zonemd verification", buf2,
8443 			(fetch_ds?"DS":"DNSKEY"));
8444 		log_query_info(VERB_ALGO, buf1, &qinfo);
8445 	}
8446 	edns.edns_present = 1;
8447 	edns.ext_rcode = 0;
8448 	edns.edns_version = 0;
8449 	edns.bits = EDNS_DO;
8450 	edns.opt_list_in = NULL;
8451 	edns.opt_list_out = NULL;
8452 	edns.opt_list_inplace_cb_out = NULL;
8453 	if(sldns_buffer_capacity(buf) < 65535)
8454 		edns.udp_size = (uint16_t)sldns_buffer_capacity(buf);
8455 	else	edns.udp_size = 65535;
8456 
8457 	/* store the worker-specific module env for the callback.
8458 	 * We can then reference this when the callback executes */
8459 	z->zonemd_callback_env = env;
8460 	z->zonemd_callback_qtype = qinfo.qtype;
8461 	/* the callback can be called straight away */
8462 	lock_rw_unlock(&z->lock);
8463 	if(!mesh_new_callback(env->mesh, &qinfo, qflags, &edns, buf, 0,
8464 		&auth_zonemd_dnskey_lookup_callback, z, 0)) {
8465 		lock_rw_wrlock(&z->lock);
8466 		log_err("out of memory lookup of %s for zonemd",
8467 			(fetch_ds?"DS":"DNSKEY"));
8468 		return 0;
8469 	}
8470 	lock_rw_wrlock(&z->lock);
8471 	return 1;
8472 }
8473 
8474 void auth_zone_verify_zonemd(struct auth_zone* z, struct module_env* env,
8475 	struct module_stack* mods, char** result, int offline, int only_online)
8476 {
8477 	char reasonbuf[256];
8478 	char* reason = NULL, *why_bogus = NULL;
8479 	struct trust_anchor* anchor = NULL;
8480 	struct ub_packed_rrset_key* dnskey = NULL;
8481 	struct ub_packed_rrset_key keystorage;
8482 	int is_insecure = 0;
8483 	/* verify the ZONEMD if present.
8484 	 * If not present check if absence is allowed by DNSSEC */
8485 	if(!z->zonemd_check)
8486 		return;
8487 	if(z->data.count == 0)
8488 		return; /* no data */
8489 
8490 	/* if zone is under a trustanchor */
8491 	/* is it equal to trustanchor - get dnskey's verified */
8492 	/* else, find chain of trust by fetching DNSKEYs lookup for zone */
8493 	/* result if that, if insecure, means no DNSSEC for the ZONEMD,
8494 	 * otherwise we have the zone DNSKEY for the DNSSEC verification. */
8495 	if(env->anchors)
8496 		anchor = anchors_lookup(env->anchors, z->name, z->namelen,
8497 			z->dclass);
8498 	if(anchor && anchor->numDS == 0 && anchor->numDNSKEY == 0) {
8499 		/* domain-insecure trust anchor for unsigned zones */
8500 		lock_basic_unlock(&anchor->lock);
8501 		if(only_online)
8502 			return;
8503 		dnskey = NULL;
8504 		is_insecure = 1;
8505 	} else if(anchor && query_dname_compare(z->name, anchor->name) == 0) {
8506 		if(only_online) {
8507 			lock_basic_unlock(&anchor->lock);
8508 			return;
8509 		}
8510 		/* equal to trustanchor, no need for online lookups */
8511 		dnskey = zonemd_get_dnskey_from_anchor(z, env, mods, anchor,
8512 			&is_insecure, &why_bogus, &keystorage, reasonbuf,
8513 			sizeof(reasonbuf));
8514 		lock_basic_unlock(&anchor->lock);
8515 		if(!dnskey && !reason && !is_insecure) {
8516 			reason = "verify DNSKEY RRset with trust anchor failed";
8517 		}
8518 	} else if(anchor) {
8519 		lock_basic_unlock(&anchor->lock);
8520 		/* perform online lookups */
8521 		if(offline)
8522 			return;
8523 		/* setup online lookups, and wait for them */
8524 		if(zonemd_lookup_dnskey(z, env)) {
8525 			/* wait for the lookup */
8526 			return;
8527 		}
8528 		reason = "could not lookup DNSKEY for chain of trust";
8529 	} else {
8530 		/* the zone is not under a trust anchor */
8531 		if(only_online)
8532 			return;
8533 		dnskey = NULL;
8534 		is_insecure = 1;
8535 	}
8536 
8537 	if(reason) {
8538 		auth_zone_zonemd_fail(z, env, reason, why_bogus, result);
8539 		regional_free_all(env->scratch);
8540 		return;
8541 	}
8542 
8543 	auth_zone_verify_zonemd_with_key(z, env, mods, dnskey, is_insecure,
8544 		result, NULL);
8545 	regional_free_all(env->scratch);
8546 }
8547 
8548 void auth_zones_pickup_zonemd_verify(struct auth_zones* az,
8549 	struct module_env* env)
8550 {
8551 	struct auth_zone key;
8552 	uint8_t savezname[255+1];
8553 	size_t savezname_len;
8554 	struct auth_zone* z;
8555 	key.node.key = &key;
8556 	lock_rw_rdlock(&az->lock);
8557 	RBTREE_FOR(z, struct auth_zone*, &az->ztree) {
8558 		lock_rw_wrlock(&z->lock);
8559 		if(!z->zonemd_check) {
8560 			lock_rw_unlock(&z->lock);
8561 			continue;
8562 		}
8563 		key.dclass = z->dclass;
8564 		key.namelabs = z->namelabs;
8565 		if(z->namelen > sizeof(savezname)) {
8566 			lock_rw_unlock(&z->lock);
8567 			log_err("auth_zones_pickup_zonemd_verify: zone name too long");
8568 			continue;
8569 		}
8570 		savezname_len = z->namelen;
8571 		memmove(savezname, z->name, z->namelen);
8572 		lock_rw_unlock(&az->lock);
8573 		auth_zone_verify_zonemd(z, env, &env->mesh->mods, NULL, 0, 1);
8574 		lock_rw_unlock(&z->lock);
8575 		lock_rw_rdlock(&az->lock);
8576 		/* find the zone we had before, it is not deleted,
8577 		 * because we have a flag for that that is processed at
8578 		 * apply_cfg time */
8579 		key.namelen = savezname_len;
8580 		key.name = savezname;
8581 		z = (struct auth_zone*)rbtree_search(&az->ztree, &key);
8582 		if(!z)
8583 			break;
8584 	}
8585 	lock_rw_unlock(&az->lock);
8586 }
8587